Chapter 4: Planning the Active Directory and Security
-
Upload
kiayada-rios -
Category
Documents
-
view
37 -
download
0
description
Transcript of Chapter 4: Planning the Active Directory and Security
Chapter 4
11
Chapter 4: Planning the Active Directory
and Security
Chapter 4: Planning the Active Directory
and Security
Chapter 4
22
Learning ObjectivesLearning Objectives
Explain the contents of the Active DirectoryExplain the contents of the Active Directory Plan how to set up Active Directory elements Plan how to set up Active Directory elements
such as organizational units, domains, trees, such as organizational units, domains, trees, forests, and sitesforests, and sites
Plan which Windows 2000 security features to Plan which Windows 2000 security features to use in an organization, including interactive use in an organization, including interactive logon, object security, and services security logon, object security, and services security
Chapter 4
33
Learning Objectives (continued)Learning Objectives (continued)
Plan how to use groups, group policies, Plan how to use groups, group policies, and security templatesand security templates
Plan IP security measuresPlan IP security measures
Chapter 4
44
Windows NT Domain StructureWindows NT Domain Structure
Security Accounts Manager (SAM) database Security Accounts Manager (SAM) database holds data on user accounts, groups, and holds data on user accounts, groups, and security privilegessecurity privileges
One primary domain controller (PDC) has One primary domain controller (PDC) has master copy of the SAMmaster copy of the SAM
One or more backup domain controllers One or more backup domain controllers (BDCs) have (BDCs) have regularlyregularly backed up copies of backed up copies of the SAMthe SAM
If PDC Fails, BDC is promotedIf PDC Fails, BDC is promoted
Chapter 4
55
Using a PDC, BDCs, and the SAM databaseUsing a PDC, BDCs, and the SAM database
Domainresources
BDC PDC BDC BDC
BackupSAM
BackupSAM
BackupSAM
Prim arySAM
BackupSAM
BDC
Figure 4-1 Figure 4-1 Windows NT Windows NT
SAM architectureSAM architecture
Chapter 4
66
Windows 2000 Active DirectoryWindows 2000 Active Directory
Domain objects including user Domain objects including user accounts, computers, servers, printers, accounts, computers, servers, printers, groups, security policies, domains, and groups, security policies, domains, and other objects compose the Active other objects compose the Active DirectoryDirectory
Chapter 4
77
Windows 2000 Active DirectoryWindows 2000 Active Directory
Made up of the following filesMade up of the following files NTDIS.DIT single file of the databaseNTDIS.DIT single file of the database EDB*.LOG Log files associated with EDB*.LOG Log files associated with
database transactionsdatabase transactions EDB.CHK error tracking/correction info for EDB.CHK error tracking/correction info for
databasedatabase RES1.LOG and RES2.LOGRES1.LOG and RES2.LOG reserve disk reserve disk
spacespace
Chapter 4
88
Active Directory ObjectsActive Directory Objects
ActiveDirectory
D omainobjects
Figure 4-2Figure 4-2Domain objects in Domain objects in
the Active Directorythe Active Directory
Chapter 4
99
Active Directory ObjectsActive Directory Objects
Object TypesObject Types User AccountUser Account Computer AccountComputer Account Domain ControllerDomain Controller GroupsGroups Organizational UnitOrganizational Unit PrintersPrinters
Chapter 4
1010
Multimaster ReplicationMultimaster Replication
Multimaster replication: In Windows Multimaster replication: In Windows 2000 there can be multiple servers, 2000 there can be multiple servers, called domain controllers (DCs), that called domain controllers (DCs), that store the Active Directory and replicate store the Active Directory and replicate it to each other. Because each DC acts it to each other. Because each DC acts as a master, replication does not stop as a master, replication does not stop when one is down. Each DC is a master when one is down. Each DC is a master in its own right.in its own right.
Chapter 4
1111
Multimaster ReplicationMultimaster Replication
• Can Can createcreate account on any of the DCs account on any of the DCs• Other DCs automatically updatedOther DCs automatically updated
• Can be done for changed data only, Can be done for changed data only, don’t have to replicate whole filedon’t have to replicate whole file
• If one DC fails, others are up-to-date and If one DC fails, others are up-to-date and system systems upsystem systems up• Don’t have to stop to promote a BDCDon’t have to stop to promote a BDC
Chapter 4
1212
Schema Schema
Schema: Elements used in the definition Schema: Elements used in the definition of each object contained in the Active of each object contained in the Active Directory, including the object class and Directory, including the object class and its attributesits attributes
Chapter 4
1313
Example Schema Characteristics of the User Account Class
Example Schema Characteristics of the User Account Class
Unique object nameUnique object name Globally unique identifier (GUID) Globally unique identifier (GUID)
associated with each object nameassociated with each object name Required attributesRequired attributes Optional attributesOptional attributes Syntax of how attributes are definedSyntax of how attributes are defined Pointers to parent entitiesPointers to parent entities
Chapter 4
1414
Example User Account AttributesExample User Account Attributes
UsernameUsername User’s full nameUser’s full name PasswordPassword
Chapter 4
1515
Schema Example Schema Example
Active D irectory
Useraccount
Computer Prin ter Domain
O bjectclasses
O bject nam e G UID Required attributes O ptional attributes Syntax Parent relationships
Usernam e User's full nam e Password
Account description Rem ote access O K
SchemaFigure 4-4 Sample schema information for user accounts
Chapter 4
1616
Default Object ClassesDefault Object Classes
DomainDomain User accountUser account GroupGroup Shared driveShared drive Shared folderShared folder ComputerComputer PrinterPrinter
Chapter 4
1717
Object NamingObject Naming
Common name (CN): The most basic name Common name (CN): The most basic name of an object in the Active Directory, such as of an object in the Active Directory, such as the name of a printerthe name of a printer
E.g. HPLaserMainE.g. HPLaserMain
Distinguished name (DN): A name in the Distinguished name (DN): A name in the Active Directory that contains all hierarchical Active Directory that contains all hierarchical components of an object, such as that components of an object, such as that object’s organizational unit and domain, in object’s organizational unit and domain, in addition to the object’s common nameaddition to the object’s common name
CN=<object Name>, OU=<organizatoional unit, CN=<object Name>, OU=<organizatoional unit, O=<Organization>, C=<CountryCode>O=<Organization>, C=<CountryCode>
Chapter 4
1818
NamespaceNamespace
Namespace: Can be set up as a DNS Namespace: Can be set up as a DNS serverserver
Chapter 4
1919
Active Directory ElementsActive Directory Elements
DomainsDomains Organizational units (OUs)Organizational units (OUs) TreesTrees ForestsForests SitesSites
Chapter 4
2020
Active Directory ArchitectureActive Directory Architecture
Figure 4-5Figure 4-5Active Directory Active Directory
hierarchical containershierarchical containers
F ores t
Tree
O U O UO U O U O UO U
Domain Domain
S ite A
Domain Domain
Tree
O U O U O U O U O U
S ite B
S ite C
Chapter 4
2121
Functions of a DomainFunctions of a Domain
Provide a security boundary for objects Provide a security boundary for objects in a common relationshipin a common relationship
Establish a set of data to be replicated Establish a set of data to be replicated among DCsamong DCs
Expedite management of a set of Expedite management of a set of objects objects
Chapter 4
2222
Using a Single domainUsing a Single domain
Internet
Domain
DC DC
Activ eDirectory
Activ eDirectory
In tranet 1 Intranet 2
Security andmanagementboundary
Figure 4-6Figure 4-6Single domainSingle domain
Chapter 4
2323
Using Multiple DomainsUsing Multiple Domains
Domain forSouth Carolina site
DC DC
AD AD AD AD
DC DCDC DC
AD AD AD AD
DC DC
Satellite dish
Satellite
Domain forsite in Japan
DC DC
AD AD AD AD
DC DCDC DC
AD AD AD AD
DC DC
Satellite dish
Figure 4-7Figure 4-7Using multiple Using multiple
domainsdomains
Chapter 4
2424
Domain Creation Dos and Don’tsDomain Creation Dos and Don’ts
Do’s Don’ts Create a domain in circumstances that require special security measures between organizational groupings, such as departments, units, or divisions
Create domains that represent the organizational structure, because frequent reorganizations result in major restructuring of domains and the Active Directory
Create a domain for specialized management of particular resources (often also related to the security and network architecture)
Create domains along business process divisions, which are often political divisions within an organization, because new management may redefine business process activities, resulting in a major restructuring of domains and the Active Directory
Chapter 4
2525
Domain Creation Dos and Don’ts (continued)
Domain Creation Dos and Don’ts (continued)
Do’s Don’ts Create a domain to migrate Windows NT servers to Windows 2000
Create a domain when geography or WAN links make it difficult to replicate DCs between organizational groupings, such as departments, units, or divisions
Chapter 4
2626
Functions of an OUFunctions of an OU
Group related objects, such as user Group related objects, such as user accounts and printers, for easier accounts and printers, for easier management management
Reflect the structure of an organizationReflect the structure of an organization Group objects to be administered using Group objects to be administered using
the same group policiesthe same group policies
Chapter 4
2727
Using OUs to Reflect Organizational Structure
Using OUs to Reflect Organizational Structure
ManufacturingDivision OU
DC DC
ActiveDirectory
ActiveDirectory
DistributionDivision OU
DC
ActiveDirectory
Retail D ivision OU
DC DC
ActiveDirectory
ActiveDirectory
ActiveDirectory
ActiveDirectory
DC DC
grocery.com(dom ain)
Figure 4-8 Figure 4-8 OUs used to reflect OUs used to reflect
the divisional the divisional structure of a companystructure of a company
Chapter 4
2828
Design Tips for Using OUsDesign Tips for Using OUs
Limit OUs to 10 levels or fewerLimit OUs to 10 levels or fewer OUs use less CPU resources when they OUs use less CPU resources when they
are set up horizontally instead of are set up horizontally instead of verticallyvertically
Each request through an OU level Each request through an OU level requires CPU time in a searchrequires CPU time in a search
Chapter 4
2929
OU Creation Dos and Don’tsOU Creation Dos and Don’ts
Do’s Don’ts Create OUs, as needed, to represent the organizational structure of departments, units, and divisions for different policies and to delegate administration
Create OUs more than 10 layers deep
Create OUs, as needed, to represent objects in the Active Directory that have similar policies, security, or other characteristics, such as shared printers or shared disk drives
Create more OUs than absolutely necessary
Chapter 4
3030
OU Creation Dos and Don’ts (continued)
OU Creation Dos and Don’ts (continued)
Do’s Don’ts Create OUs, as needed, to represent specific project areas, such as for employees who are temporarily helping with the installation of a new client/server system
Create OUs for major security boundaries when this can be handled by a domain or by sites (discussed later), such as for IP traffic control
Create OUs, as needed, to represent the business process or political functions in an organization, such as an OU for the president’s office, one for the business office, and one for each research group in a health research organization
Create OUs for DC replication
Chapter 4
3131
Characteristics of a TreeCharacteristics of a Tree
Member domains are in a contiguous Member domains are in a contiguous namespacenamespace
chi.devry.edu tp.devry.edu under devry treechi.devry.edu tp.devry.edu under devry tree
Member domains can compose a hierarchyMember domains can compose a hierarchy Member domains use the same schema for Member domains use the same schema for
common objectscommon objects Member domains use the same global catalog Member domains use the same global catalog
(encyclopedia of info about object)(encyclopedia of info about object)
Chapter 4
3232
Global CatalogGlobal Catalog
Global catalog: A grand repository for all Global catalog: A grand repository for all objects and the most frequently used objects and the most frequently used attributes for each object in all domains. attributes for each object in all domains. Each tree has one global catalog.Each tree has one global catalog.
Chapter 4
3333
Global Catalog FunctionsGlobal Catalog Functions
Authenticating usersAuthenticating users Providing lookup and access to Providing lookup and access to
resources in all domainsresources in all domains Providing replication of key Active Providing replication of key Active
Directory elementsDirectory elements Keeping a copy of the most attributes Keeping a copy of the most attributes
for all objectsfor all objects
Chapter 4
3434
Hierarchical Domains in a Tree
Hierarchical Domains in a Tree
tracksport.com
west.tracksport.comeast.tracksport.com north .tracksport.com south.tracksport.com
Tree
Two-waytrusts
Figure 4-9 Tree with hierarchical domainsFigure 4-9 Tree with hierarchical domains
Chapter 4
3535
Kerberos Transitive TrustKerberos Transitive Trust
Kerberos Transitive Trust Relationship: Kerberos Transitive Trust Relationship: A set of two-way trusts between two or A set of two-way trusts between two or more domains in which Kerberos more domains in which Kerberos security is used.security is used.
Chapter 4
3636
Trusted and Trusting DomainsTrusted and Trusting Domains
Trusted domain: A domain that has Trusted domain: A domain that has been granted security access to been granted security access to resources in another domainresources in another domain
Trusting domain: A domain that allows Trusting domain: A domain that allows another domain security access to its another domain security access to its resources and objects, such as serversresources and objects, such as servers
Chapter 4
3737
Tree Creation Dos and Don’tsTree Creation Dos and Don’ts
Do’s Don’ts Define main domains before defining a tree Define a tree prior to creating the first
domain Plan the hierarchy of domains and use of OUs before creating a tree
Define a tree if you can use a single domain structure (a better alternative than using trees, if possible)
Define a tree when you have domains in different countries so that you can set up each domain to use a language native to the country where it resides
Define a tree if you must use a disjointed namespace
Chapter 4
3838
Tree Creation Dos and Don’ts (continued)
Tree Creation Dos and Don’ts (continued)
Do’s Don’ts Define a tree if you are planning multiple domains that will be administered at different sites by different people
Create a tree and multiple domains when WAN connectivity is slow between distant sites, because global catalog replication transfers less information and requires less bandwidth than DC replication
Chapter 4
3939
Planning TipPlanning Tip
Make sure each tree has at least one DC that Make sure each tree has at least one DC that is also configured as a global catalogis also configured as a global catalog
Locate global catalog servers in a network Locate global catalog servers in a network design architecture that enables fast user design architecture that enables fast user authentication (so that authentication does authentication (so that authentication does not have to be performed over a WAN link, for not have to be performed over a WAN link, for example)example)
Chapter 4
4040
Characteristics of a ForestCharacteristics of a Forest
Member trees use a disjointed Member trees use a disjointed namespace (but contiguous namespace (but contiguous namespaces within trees)namespaces within trees)
Member trees use the same schemaMember trees use the same schema Member trees use the same global Member trees use the same global
catalogcatalog
Chapter 4
4141
Single ForestSingle Forest
Single forest:Single forest: An Active Directory An Active Directory model in which there is only one forest model in which there is only one forest with interconnected trees and domains with interconnected trees and domains that use the same schema and global that use the same schema and global catalogcatalog
Chapter 4
4242
Single Forest ArchitectureSingle Forest Architecture
partsp lus.com
toronoto.partsplus.com m ontreal.partsplus.com detroit.partsplus.com
2m.com
greenville.2m .com florence.2m .com atlanta.2m .com
chelos.com
oaxaca.chelos.com
m exicocity.chelos.com
m onterrey.chelos.com puebla.chelos.com
Forestpartsplus.com
valencia.chelos.com
Figure 4-10 A forestFigure 4-10 A forest
Chapter 4
4343
Separate ForestSeparate Forest
Separate forest: An Active Directory Separate forest: An Active Directory model that links two or more forests in a model that links two or more forests in a partnership, but the forests cannot have partnership, but the forests cannot have Kerberos transitive trusts or use the Kerberos transitive trusts or use the same schemasame schema
Chapter 4
4444
Separate Forest ArchitectureSeparate Forest Architecture
health .books.com
cook.books.comForestbooks.com
hardback.prin ters.com
paperback.prin ters.com
textbook.prin ters.comForestprin ters.com
Figure 4-11Figure 4-11Separate forest Separate forest
modelmodel
Chapter 4
4545
Forest Creation Dos and Don’tsForest Creation Dos and Don’ts
Do’s Don’ts Create a forest to join trees/domains that can share schemas and global catalogs
Create forests when the member trees have little in common or cannot share the same schema
Create a single forest when there is no need to separate internal and external DNS resources between trees
Create a single or separate forest until you understand the security needs of all domains, trees, and potential forests
Chapter 4
4646
Forest Creation Dos and Don’ts (continued)Forest Creation Dos
and Don’ts (continued)Do’s Don’ts Create separate forests when the internal and external DNS resources must be keep separate between two or more forests
Create a separate forest when there is a possibility that the forests may merge into a single forest in the future
Establish a forest’s name by using the name of the root domain or first domain in the first tree
Create a separate forest when the member forests must have a Kerberos transitive trust between them
Chapter 4
4747
Design TipDesign Tip
When you create a separate forest When you create a separate forest structure remember that:structure remember that: Replication cannot take place between Replication cannot take place between
forestsforests The forests use different schema and The forests use different schema and
global catalogsglobal catalogs The forests cannot be easily blended into a The forests cannot be easily blended into a
single forest in the futuresingle forest in the future
Chapter 4
4848
SiteSite
Site: An option in the Active Directory to Site: An option in the Active Directory to interconnect IP subnets so that it can interconnect IP subnets so that it can determine the fastest route to connect determine the fastest route to connect clients for authentication and to connect clients for authentication and to connect DCs for replication of the Active DCs for replication of the Active Directory. Site information also enables Directory. Site information also enables the Active Directory to create redundant the Active Directory to create redundant routes for DC replication.routes for DC replication.
Chapter 4
4949
Characteristics of a SiteCharacteristics of a Site
Reflects one or more interconnected subnets Reflects one or more interconnected subnets (512 Kbps or faster)(512 Kbps or faster)
Reflects the same boundaries as the LANReflects the same boundaries as the LAN Used for DC replicationUsed for DC replication Enables clients to access the closest DCEnables clients to access the closest DC Composed of servers and configuration Composed of servers and configuration
objectsobjects
Chapter 4
5050
Site LinksSite Links
Site link object: An object created in the Site link object: An object created in the Active Directory to indicate one or more Active Directory to indicate one or more physical links between two different sitesphysical links between two different sites
Site link bridge: An Active Directory object Site link bridge: An Active Directory object (usually a router) that combines individual site (usually a router) that combines individual site link objects to create faster routes when there link objects to create faster routes when there are three or more site linksare three or more site links
Chapter 4
5151
Site Link ArchitectureSite Link Architecture
Site C
Site B
Site A
Link 1 Link 1
Link 2
Link
2Bridge link
Router
Figure 4-12 Site link bridgeFigure 4-12 Site link bridge
Chapter 4
5252
Site Creation Dos and Don’tsSite Creation Dos and Don’ts
Do’s Don’ts Create sites to reflect interconnected high-speed IP subnets
Create sites for small networks that have no IP subnets
Create sites on medium and large sized networks to enable fast connectivity for users and for DCs
Create sites for IP links that have less than 128 Kbps of available bandwidth
Chapter 4
5353
Site Creation Dos and Don’ts (continued)
Site Creation Dos and Don’ts (continued)
Do’s Don’ts Create additional sites on medium and large sized networks when user connectivity and DC replication is experiencing slow response
Create extra sites to improve network performance without first determining what network congestion factors are causing poor performance
Create sites to enable ring-based DC fault tolerance
Create one or more sites for a domain that encompasses two more far-reaching geographic locations
Chapter 4
5454
Design TipDesign Tip
Define sites in the Active Directory on Define sites in the Active Directory on networks that have multiple global networks that have multiple global catalog servers that reside in different catalog servers that reside in different subnetssubnets
Use sites to enhance network Use sites to enhance network performance by optimizing performance by optimizing authentication and replicationauthentication and replication
Chapter 4
5555
Active Directory GuidelinesActive Directory Guidelines
Keep the Active Directory implementation as Keep the Active Directory implementation as simple as possiblesimple as possible
Implement the least number of domains Implement the least number of domains possiblepossible
Implement only one domain on most small Implement only one domain on most small networksnetworks
Use OUs to reflect the organizational Use OUs to reflect the organizational structure (instead of using domains for this structure (instead of using domains for this purpose)purpose)
Chapter 4
5656
Active Directory Guidelines (continued)
Active Directory Guidelines (continued)
Create only the number of OUs that are Create only the number of OUs that are necessarynecessary
Do not create OUs more than 10 levels Do not create OUs more than 10 levels deepdeep
Use domains for natural security Use domains for natural security boundariesboundaries
Implement trees and forests only as Implement trees and forests only as necessarynecessary
Chapter 4
5757
Active Directory Guidelines (continued)
Active Directory Guidelines (continued)
Use trees for domains that have a Use trees for domains that have a contiguous namespacecontiguous namespace
Use forests for multiple trees that have Use forests for multiple trees that have disjointed namespaces between themdisjointed namespaces between them
Use sites in situations where there are Use sites in situations where there are multiple IP subnets and geographic multiple IP subnets and geographic locations to improve performancelocations to improve performance
Chapter 4
5858
Basic Types of Active Directory Security
Basic Types of Active Directory Security
Account or interactive logon securityAccount or interactive logon security Object securityObject security Services security Services security
Chapter 4
5959
Interactive Logon SecurityInteractive Logon Security
DC checks that the user account is in DC checks that the user account is in the Active Directorythe Active Directory
DC verifies the exact user account DC verifies the exact user account name and passwordname and password
Chapter 4
6060
Object SecurityObject Security
Security descriptor: An individual security Security descriptor: An individual security property associated with a Windows 2000 property associated with a Windows 2000 Server object, such as enabling the account Server object, such as enabling the account MGardner (the security descriptor) to access MGardner (the security descriptor) to access the folder, Databasesthe folder, Databases
Access control list (ACL): A list of all security Access control list (ACL): A list of all security descriptors that have been set up for a descriptors that have been set up for a particular object, such as for a shared folder particular object, such as for a shared folder or a shared printeror a shared printer
Chapter 4
6161
Typical ACL Types of Information
Typical ACL Types of Information
User account(s) that can access an User account(s) that can access an objectobject
Permissions that determine the type of Permissions that determine the type of accessaccess
Ownership of the objectOwnership of the object
Chapter 4
6262
Typical Object PermissionsTypical Object Permissions
Deny: No access to the objectDeny: No access to the object Read: Access to view or read the object’s Read: Access to view or read the object’s
contentscontents Write: Permission to change the object’s Write: Permission to change the object’s
contents or propertiescontents or properties Delete: Permission to remove an objectDelete: Permission to remove an object Create: Permission to add an objectCreate: Permission to add an object Full Control: Permission for nearly any activityFull Control: Permission for nearly any activity
Chapter 4
6363
Example Special PermissionsExample Special Permissions
Figure 4-13 Special permissions for a folderFigure 4-13 Special permissions for a folder
Chapter 4
6464
Troubleshooting TipTroubleshooting Tip
Deny permission supercedes other Deny permission supercedes other permissions, thus if there is a permissions, thus if there is a permissions conflict for one of your permissions conflict for one of your users, check the deny permissions users, check the deny permissions associated with that user’s accountassociated with that user’s account
Chapter 4
6565
Services SecurityServices Security
Windows 2000 enables you to set up Windows 2000 enables you to set up security on individual services, such as security on individual services, such as DHCPDHCP
Chapter 4
6666
Setting Services SecuritySetting Services Security
Figure 4-14 DHCP securityFigure 4-14 DHCP security
Chapter 4
6767
Using GroupsUsing Groups
Set up security groups of user accounts Set up security groups of user accounts as a way to more easily manage as a way to more easily manage securitysecurity
Chapter 4
6868
Setting Up Members of a GroupSetting Up Members of a Group
Figure 4-15 DHCP Administrators groupFigure 4-15 DHCP Administrators group
Chapter 4
6969
Group PoliciesGroup Policies
Use group policies to manage security Use group policies to manage security for local servers, OUs, and domainsfor local servers, OUs, and domains
Employ security templates when you Employ security templates when you need to manage several different group need to manage several different group policiespolicies
Chapter 4
7070
Example Areas Covered by Group Policies
Example Areas Covered by Group Policies
Account policesAccount polices Local server and domain policiesLocal server and domain policies Event log tracking policiesEvent log tracking policies Group restrictionsGroup restrictions Service access securityService access security Registry securityRegistry security File system securityFile system security
Chapter 4
7171
Setting Up Security TemplatesSetting Up Security Templates
Figure 4-16 Security Templates snap-inFigure 4-16 Security Templates snap-in
Chapter 4
7272
IP SecurityIP Security
IP security (IPSec): A set of IP-based IP security (IPSec): A set of IP-based secure communications and encryption secure communications and encryption standards created through the Internet standards created through the Internet Engineering Task Force (IETF)Engineering Task Force (IETF)
Chapter 4
7373
IP Security PoliciesIP Security Policies
IP security (IPSec) can function in three roles IP security (IPSec) can function in three roles relative to a client:relative to a client: Client (Respond Only) in which the server uses Client (Respond Only) in which the server uses
IPSec, if the client is using it firstIPSec, if the client is using it first Server (Request Security) in which the server uses Server (Request Security) in which the server uses
IPSec by default, but will discontinue using IPSec IPSec by default, but will discontinue using IPSec if it is not supported by the clientif it is not supported by the client
Secure Server (Require Security) in which the Secure Server (Require Security) in which the server only communicates via IPSecserver only communicates via IPSec
Chapter 4
7474
Configuring IPSec Configuring IPSec
Figure 4-17 IP Security Policy WizardFigure 4-17 IP Security Policy Wizard
Chapter 4
7575
Troubleshooting TipTroubleshooting Tip
On a network that uses IPSec, if you On a network that uses IPSec, if you are having trouble gathering network are having trouble gathering network performance information from some performance information from some older devices that do not support IPSec, older devices that do not support IPSec, omit the SNMP communications omit the SNMP communications protocol from IPSecprotocol from IPSec
Chapter 4
7676
Chapter SummaryChapter Summary
Active Directory and security Active Directory and security implementation are interrelated implementation are interrelated
The Active Directory is a set of services The Active Directory is a set of services for managing Windows 2000 serversfor managing Windows 2000 servers
Use Active Directory elements such as Use Active Directory elements such as OUs, domains, trees, and forests to OUs, domains, trees, and forests to help manage server objects and help manage server objects and resourcesresources
Chapter 4
7777
Chapter SummaryChapter Summary
Use sites to configure network Use sites to configure network communications for better performance communications for better performance through taking advantage of existing through taking advantage of existing subnetssubnets
Groups and group policies enable you Groups and group policies enable you to manage security to manage security