MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory - PowerPoint PPT Presentation


PPT – MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory PowerPoint presentation | free to download - id: 3ff6ff-OWNjZ


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory


MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory Chapter 4: Active Directory Design and Security Concepts MCTS Windows Server 2008 Active ... – PowerPoint PPT presentation

Number of Views:119
Avg rating:3.0/5.0
Slides: 50
Provided by: cmsu2Ucmo2
Learn more at:


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory

MCTS Guide to Configuring Microsoft Windows
Server 2008 Active Directory
  • Chapter 4 Active Directory Design and Security

  • Work with organizational units
  • Work with forests, trees, and domains
  • Describe the components of a site

Working with Organizational Units
  • Active Directory is based upon standards (LDAP
    and X.500)
  • Lightweight Directory Access Protocol (LDAP)
  • Created by the Internet Engineering Task Force
  • Based on the X.500 Directory Access Protocol
  • Forms the base around which Active Directory is
    built, which allows applications to use LDAP to
    integrate with Active Directory
  • LDAP has presence on other operating systems as
    well, and can be used to integrate them with
    Active Directory

Working with Organizational Units (cont.)
  • Benefits of using OUs
  • You can create familiar hierarchical structures
    based on an organizational chart to allow easy
    resource access
  • Delegation of administrative authority
  • Able to change OU structure easily
  • Can group users and computers for the purposes of
    assigning administrative and security policies
  • Can hide AD objects for confidentiality or
    security reasons

OU Delegation of Control
  • Delegation of control means a person with higher
    security privileges assigns authority to a person
    of lesser security privileges to perform certain
  • Allows specific control of what someone with
    delegated control may do
  • Commonly delegated tasks include
  • Create, delete, and manager user accounts
  • Reset user passwords and force password change at
    next logon
  • Read all user information
  • Create, delete, and manage groups
  • Modify the membership of a group
  • Manage group policy links
  • Generate Resultant Set of Policy (Planning)
  • Generate Resultant Set of Policy (Logging)

OU Delegation of Control (cont.)
  • Custom tasks can be created for delegation as
    well, but you must fully understand the nature of
    objects, permissions, and permission inheritance.
  • Knowledge of permissions and how they work is
    important regardless of whether you use custom
    tasks or not
  • By default, the OUs properties dont show that
    another user has been delegated control
  • Instead, to verify who has been delegated control
    of an OU, you must view the OUs permissions.

Active Directory Object Permissions
  • Three types of objects can be assigned permission
    to access an AD object Users, groups, and
    computers. These object types are referred to as
    security principals
  • AD objects security settings are composed of
    three components
  • Discretionary access control list (DACL)
  • Each entry referred to as an access control entry
  • Object owner
  • Usually the user account that created the object
    or a group or user who has been assigned
  • System access control list (SACL)
  • Defines the settings for auditing access to an

Active Directory Permissions (cont.)
  • Each object has a list of standard permissions
    and a list of special permission
  • Each permission can be set to Allow or Deny, and
    five standard permissions are available for most
  • Full control
  • Read
  • Write
  • Create all child objects
  • Delete all child objects

Active Directory Permissions (cont.)
  • Users can be assigned permission to an object in
    three different ways
  • Users account is added to the objects DACL, a
    method referred to as explicit permission
  • A group the user belongs to is added to the
    objects DACL
  • The permission is inherited from a parent
    objects DACL to which the user or group account
    has been added.
  • A users effective permissions are a combination
    of the assigned permissions.
  • Deny permissions override Allow permissions
  • Except when the Deny permission is inherited
    from a parent object, and the Allow permission is
    explicitly added to the objects DACL, the Allow
    permission takes precedence

Using Deny in an ACE
  • If a security principal isnt represented in an
    objects DACL, it doesnt have access to the
  • Deny permissions are not required for every
    object to prevent access
  • Deny permission usually used in cases of
    exception, such as when you dont want a user to
    be able to delete child objects in an OU, but
    still want to grant access

Permission Inheritance in OUs
  • Permission inheritance defines how permissions
    are transmitted from a parent object to a child
  • All objects in AD are child objects of the domain
  • By default, permissions applied to the parent OU
    with the Delegation of Control Wizard are
    inherited by all child objects of that OU

Advanced Features Option in Active Directory
Users and Computers
  • Default settings in AD Users and Computers hide
    some system folders and advanced features, but
    you can display them by enabling the Advanced
    Features option from the view menu. Afterwards,
    four new folders are shown
  • LostAndFound
  • Program Data
  • System
  • NTDS (NT Directory Service)

Advanced Features Option in Active Directory
Users and Computers (cont.)
  • Properties dialog box of domain, folder, and OU
    objects will now have three new tabs
  • Object
  • Used to view detailed information about a
    container object
  • Security
  • Used to view and modify an objects permissions
  • Attribute Editor
  • Used to view and edit an objects attributes

Effective Permissions
  • Effective permissions for an object are a
    combination of the allowed and denied permissions
    assigned to a security principal
  • Can come from assignments made directly to a
    single user account or to a group the user
    belongs to
  • Explicit permissions override inherited
    permissions, and can create some exceptions to
    the rule that Deny permissions override Allow

Effective Permissions (cont.)
  • Most common settings for permission inheritance
  • This object only
  • The permission setting isnt inherited by child
    (descendant) objects
  • This object and all descendant objects
  • The permission setting applies to the current
    object and is inherited by all child objects
  • All descendant objects
  • The permission setting doesnt apply to the
    selected object but is inherited by all child
  • Descendant object type objects
  • The permission is inherited only by specific
    child object types, such as user, computer, or
    group objects.
  • Permission inheritance is enabled by default on
    child objects, but can be disabled

Working with Forests, Trees, and Domains
  • Smaller organizations will most likely be focused
    on OUs and their child objects, whereas larger
    organizations might require an AD structure
    composed of several domains, multiple trees, and
    even a few forests
  • First domain controller creates more than just a
    new domain, it also creates the root of a new
    tree and the root of a new forest
  • May eventually become necessary to add domains to
    the tree, create new trees or forests, and add
    sites to the AD structure

Active Directory Terminology
  • Directory Partitions
  • Operations Master Roles
  • Active Directory Replication
  • Trust Relationships

Directory Partitions
  • Each section of an Active Directory database is
    referred to as a directory partition. There are
    five directory partition types in the AD
  • Domain directory partition
  • Contains all objects in a domain, including
    users, groups, computers, OUs, and so forth
  • Schema directory partition
  • Contains information needed to define AD objects
    and object attributes
  • Global catalog partition
  • Holds the global catalog, which is a partial
    replica of all objects in the forest
  • Application directory partition
  • Used by applications and services to hold
    information that benefits from
  • Configuration partition
  • Holds configuration information that can affect
    the entire forest

Operations Master Roles
  • Several operations in a forest require having a
    single domain controller, called the operations
    master, with sole responsibility for the function
  • First domain controller in the forest generally
    takes on the role of the operations master
  • If necessary, responsibility for these roles can
    be transferred to another domain controller

Operations Master Roles (cont.)
  • There are five operations master roles, referred
    to as Flexible Single Master Operation (FSMO)
    roles in an AD forest
  • Schema Master
  • Infrastructure master
  • Domain Naming master
  • RID master
  • PDC Emulator master
  • When removing DCs from a forest, be careful that
    these roles are not removed from the network

Active Directory Replication
  • Replication is the process of maintaining a
    consistent database of information when the
    database is distributed among several locations
  • Intrasite replication
  • Replication between domain controllers in the
    same site
  • Intersite replication
  • Occurs between two or more sites
  • Multimaster replication
  • Used by AD for replacing AD objects
  • Knowledge Consistency Checker (KCC) runs on all
  • Determines the replication topology, which
    defines the domain controller path that AD
    changes flow through and ensures no more than
    three hops exist between any two DCs

Active Directory Replication (cont.)
Trust Relationships
  • In Active Directory, a trust relationship defines
    whether and how security principals from one
    domain can access network resources in another
  • Since Windows 2000 AD, trust relationships are
    established automatically between all domains in
    the forest
  • Trusts do not equal permissions

The Role of Forests
  • All domains in a forest share some common
  • A single schema
  • Forestwide administrative accounts
  • Operations masters
  • Global Catalog
  • Trusts between domains
  • Replication between domains

The Importance of the Global Catalog Server
  • First DC installed in a forest is automatically
    designated as a Global Catalog server, but
    additional global catalog servers can be
    configured as well
  • Global Catalog servers perform the following
    vital functions
  • Facilitates domain and forestwide searches
  • Facilitates logon across domains Users can log
    on to computers in any domain by using their user
    principal name (UPN)
  • Hold universal group membership information

Forest Root Domain
  • First domain is the forest root and is referred
    to as the forest root domain
  • Imperative to the functionality of AD if it
    disappears, the entire structure ceases to
  • Functions the forest root domain usually handles
  • DNS server
  • Global catalog server
  • Forestwide administrative accounts
  • Operations masters

Forest Root Domain (cont.)
Forest Root Domain (cont.)
  • Due to the importance of the forest root domains
    functionality, some organizations choose a
    dedicated forest root domain
  • The advantages of running a dedicated forest root
    domain include the following
  • More secure
  • More manageable
  • More flexible

Forest Root Domain (cont.)
Choosing a Single or Multiple Forest Design
  • Most organizations operate under a single AD
    forest, which has a number of advantages
  • A common Active Directory structure
  • Easy access to network resources
  • Centralized management
  • The advantages of single forest structure are
    also limitations in many aspects diversity
    within an organization may make single forest
    design unfeasible. Multiple forest design
    includes the following advantages
  • Differing schemas are possbile
  • Security boundaries
  • Separate administration

Understanding Trusts
  • Trusts allow users in one domain to access
    resources in another domain, without requiring a
    user account on the other domain
  • Types of trust
  • One way and two way trusts
  • Transitive trusts
  • Shortcut trusts
  • Forest trusts
  • External trusts
  • Realm trusts

Understanding Trusts (cont.)
One Way and Two-Way Trusts
  • One-way trust exists when one domain trusts
    another, but the reverse is not true
  • When domainA trusts domainB, users in domainB may
    access resources in domainA but not vice versa.
  • In this case domainA is the Trusting domain and
    domainB is the Trusted domain
  • More common is the two-way trust, in which users
    from both domains can be given access to
    resources in the other domain

Transitive Trusts
  • A transitive trust is named after the transitive
    rule of equality in mathematics If AB and BC,
    then AC
  • If one domain trusts another domain, and that
    domain trusts a third domain, then the first
    domain has a transitive trust with the third
  • In order to authenticate a user, a referral must
    be made to a domain controller in each domain in
    the path to the destination. This can cause
    substantial delays.

Transitive Trusts (cont.)
Shortcut Trusts
  • A shortcut trust is configured manually between
    domains to bypass the normal referral process
  • Shortcut trusts are transitive and can be
    configured as one way or two way trusts between
    domains in the same forest
  • Shortcut trusts can reduce delays caused by
    referral processes

Shortcut trusts (cont.)
Forest Trusts
  • A forest trust provides a one-way or two-way
    transitive trust between forests that allows
    security principals in one forest to access
    resources in any domain in another forest
  • Are not possible in Windows 2000 forests
  • They are transitive in the sense that all domains
    in one forest trust all domains in another
    forest, but the trust isnt transitive from one
    forest to another

External Trusts
  • An external trust is a one way or two way
    nontransitive trust between two domains that
    arent in the same forest. Generally used in
    these circumstances
  • To create a trust between two domains in
    different forests
  • To create a trust with a Windows 2000 or Windows
    NT domain

Realm Trusts
  • Can be used to integrate users of other OSs into
    a Windows Server 2008 domain or forest
  • This requires the OS to be running the Kerberos
    V5 authentication system that AD uses
  • Kerberos is an open-standard security protocol
    used to secure authentication and identification
    between parties in a network

Designing the Domain Structure
  • Most small and medium businesses choose a single
    domain for reasons that include the following
  • Simplicity
  • Lower costs
  • Easier management
  • Easier access to resources

Designing the Domain Structure (cont.)
  • Using multiple domains makes sense or is even a
    necessity in the following circumstances
  • Compatibility with a Windows NT domain
  • Need for differing account policies
  • Need for different name identities
  • Replication control
  • Need for internal versus external domains
  • Need for tight security

Understanding Sites
  • AD site represents a physical location where DCs
    are placed and group policies can be applied
  • First DC of a forest creates a site named
    Default-First-Site-Name once installed
  • Three main reasons for establishing multiple
  • Authentication efficiency
  • Replication efficiency
  • Application efficiency
  • Sites are created using Active Directory Sites
    and Services

Understanding Sites (cont.)
Site Components
  • Subnets
  • Each site is associated with one or more IP
    subnets, and a subnet can only be associated with
    a single site
  • Site Links
  • A site link is needed to connect two or more
    sites for replication purposes
  • Determine replication schedule and frequency
    between two sites
  • Bridgehead Servers
  • Intersite replication occurs between bridgehead
  • One DC designated as the Inter-Site topology
    Generator (ISTG), which then designates a
    bridgehead server to handle replication for each
    directory partition

Site Links
Intersite replication topology is determined by
cost value associate with site links
Chapter Summary
  • Active Directory is based on the X.500 and LDAP
    standards, which are standard protocols for
    defining, storing, and accessing directory
    service objects
  • OUs, the building blocks of the AD structure in a
    domain, can be designed to mirror a companys
    organizational chart. Delegation of control can
    be used to give users some management authority
    in an OU.

Chapter Summary (cont.)
  • Large organizations might require multiple
    domains, trees, and forests
  • Directory partitions are sections of the AD
    database that hold varied types of data and are
    managed by different processes
  • The forest is the broadest logical AD component.
    All domains in a forest share some common
    characteristics, such as a single schema, the
    global catalog, and trusts between domains

Chapter Summary (cont.)
  • Trusts permit domains to accept user
    authentication from another domain and facilitate
    cross-domain and cross-forest resource access
    with a single logon
  • A domain is the primary identifying and
    administrative unit of AD. Each domain has a
    unique name, and theres an administrative
    account with full control over objects in the
  • An AD site represents a physical location where
    domain controllers reside.