Upload
mysticguy
View
219
Download
0
Embed Size (px)
Citation preview
8/13/2019 01_Intro Active Directory
1/30
www
.technocorp.co.in
Active DirectoryIntroducing Active Directory Domain Services
8/13/2019 01_Intro Active Directory
2/30
www
.technocorp.co.in
Module Overview
Overview of Active Directory, Identity, and Access Active Directory Components and Concepts
Install Active Directory Domain Services
8/13/2019 01_Intro Active Directory
3/30
www
.technocorp.co.in
Identity and Access
Identity: User account
Saved in an identity store(directory database)
Security principal
Represented uniquely by the SID
Resource: Shared Folder
Secured with a securitydescriptor
DACL or ACL
ACEs or permissions
8/13/2019 01_Intro Active Directory
4/30
www
.technocorp.co.in
Authentication and Authorization
The system creates a security
token that represents the userwith the users SID and allrelated group SIDs
A resources is secured with an
ACL: permissions that pair aSID with a level of access
The users security token is
compared with the ACL of theresource to authorize arequested level of access
A user presents credentials
that are authenticated byusing the information storedwith the usersidentity
8/13/2019 01_Intro Active Directory
5/30
www
.technocorp.co.in
Authentication
Two types of authentication
Local (interactive) Logonauthentication for logon to thelocal computer
Remote (network) logonauthentication for access toresources on another computer
Authentication is the process that verifies a users identity
Credentials: At least two components required
User name Secret, for example, password
8/13/2019 01_Intro Active Directory
6/30
www
.technocorp.co.in
Stand-Alone (Workgroup) Authentic
The identity store is the SAM database on the Windows syst No shared identity store
Multiple user accounts
Management of passwords is challenging
8/13/2019 01_Intro Active Directory
7/30
www
.technocorp.co.in
Active Directory Domains: TrustedIdentity Store
Centralized identity store trusted by all domain members Centralized authentication service
Hosted by a server performing the role of an AD DS domain
8/13/2019 01_Intro Active Directory
8/30
www
.technocorp.co.in
Active Directory and IDA Services
Active Directory IDA services : Active Directory Lightweight Directory Services (AD LDS)
Active Directory Certificate Services (AD CS)
Active Directory Rights Management Services (AD RMS)
Active Directory Federation Services (AD FS)
8/13/2019 01_Intro Active Directory
9/30
www.technocorp.co.in
Active Directory Components andConcepts Active Directory as a Database
Organizational Units Policy-Based Management
Active Directory Data Store
Domain Controllers
Domain
Replication
Sites Forest
Tree
Global Catalog
Functional Levels
8/13/2019 01_Intro Active Directory
10/30
www.technocorp.co.in
Active Directory As a Database
Active Directory is a database Each record is an object
Users, groups, computers, and so on
Each field is an attribute
Logon name, SID, password, description, membership, and so on
Identities (security principals or accounts)
Services: Kerberos, DNS, and replication
Accessing the database Windows tools, user interfaces, and components
APIs (.NET, VBScript, Windows PowerShell)
8/13/2019 01_Intro Active Directory
11/30
www.technocorp.co.in
Organizational Units
Containers Users
Computers
Organizational Units Containers that also support the
management and configuration ofobjects by using Group Policy
Create OUs to:
Delegate administrativepermissions
Apply Group Policy
8/13/2019 01_Intro Active Directory
12/30
www.technocorp.co.in
Policy-Based Management
Active Directory provides a single point of management for and configuration through policies Group Policy
Domain password and lockout policy
Audit policy
Configuration
Applied to users or computers by scoping a GPO containing configuration settings
Fine-grained password and lockout policies
8/13/2019 01_Intro Active Directory
13/30
www.technocorp.co.in
Active Directory Data Store
%systemroot%\NTDS\ntds.dit Logical partitions
Domain naming context
Schema
Configuration
Global catalog (Partial Attribute Set)
DNS (application partitions)
SYSVOL %systemroot%\SYSVOL
Logon scripts
Policies
*D
Conf
Sc
NTDS.DIT
8/13/2019 01_Intro Active Directory
14/30
www.technocorp.co.in
Domain Controllers
Servers that perform the AD DS role Host the Active Directory database (NTDS.DIT) and SYSVOL Replicated between domain controllers
Kerberos KDC service: Performs authentication
Other Active Directory services
Best practices Availability: At least two in a domain
Security: Server Core and RODCs
8/13/2019 01_Intro Active Directory
15/30
www.technocorp.co.in
Domain
Made up of one or more DCs
All DCs replicate the Domain naming context(Domain NC)
The domain is the context within which Users, Groups, Computers, and soon are created
Replication boundary
Trusted identity source: Any DC can authenticate
any logon in the domain The domain is the maximumscope (boundary) for
certain administrative policies Password
Lockout
8/13/2019 01_Intro Active Directory
16/30
www.technocorp.co.in
Replication
Multimaster replication Objects and attributes in the database Contents of SYSVOL are replicated
Several components work to create an efficient and robust rtopology and to replicate granular changes to AD
The Configuration partition of the database stores informat
sites, network topology, and replication
DC2
DC1
8/13/2019 01_Intro Active Directory
17/30
www.technocorp.co.in
Sites
An Active Directory object that represents a well-connectedof your network Associated with subnet objects representing IP subnets
Intrasite vs. intersite replication Replication within a site occurs very quickly (1545 seconds)
Replication between sites can be managed
Service localization Log on to a DC in your site
Site A
8/13/2019 01_Intro Active Directory
18/30
www.technocorp.co.in
Forest
A collection of one or more Active Directory domain trees
First domain is theforest root domain
Single configuration and schemareplicated to all DCs in the forest
A security and replication boundary
8/13/2019 01_Intro Active Directory
19/30
ww
w.technocorp.co.in
Tree
One or more domains in a single instance of AD DS that shacontiguous DNS namespace
Microsoftlearning.c
Microsoft.com
Training.Microsoftlearn
8/13/2019 01_Intro Active Directory
20/30
ww
w.technocorp.co.in
Global Catalog
Partial Attribute Set or Global
Catalog Contains every object in every
domain in the forest
Contains only selectedattributes
A type of index
Can be searched from anydomain
Very important for manyapplications
PAS
Domain A
PAS
Domain B
8/13/2019 01_Intro Active Directory
21/30
ww
w.technocorp.co.in
Functional Levels Domain functional levels
Forest functional levels
New functionality requires that domain controllers are running a particularversion of Windows
Windows 2000
Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Cannot raise functional levelwhile domain controllers are runningprevious Windows versions
Cannot add domain controllersrunning previous Windows versionsafter raising functional level
8/13/2019 01_Intro Active Directory
22/30
ww
w.technocorp.co.in
DNS and Application Partitions
Active Directory and DNS are closely
integrated One-to-one relationship between the
DNS domain name and the logicaldomain unit of Active Directory
Complete reliance on DNS to locatecomputers and services in the domain
A domain controller acting as a DNSserver can store the zone data inActive Directory itselfin anapplication partition PAS
DNS
Domain
Configuratio
Schema
8/13/2019 01_Intro Active Directory
23/30
ww
w.technocorp.co.in
Trust Relationships
Extends concept of trusted identity store to another domain
Trusting domain (with the resource) trusts the identity store and authenticatof the trusted domain
A trusted user can authenticate to, and be given access to resources in, the tdomain
Within a forest, each domain trusts all other domains
Trust relationships can be established with external domains
Trusted Domain Trusting Domain
8/13/2019 01_Intro Active Directory
24/30
ww
w.technocorp.co.in
Install Active Directory Domain Serv
Install Windows Server 2008 R2
Server Manager and Role-Based Configuration of Windows 2008 R2
Prepare to Create a New Forest with Windows Server 2008
Install and Configure a Domain Controller
8/13/2019 01_Intro Active Directory
25/30
ww
w.technocorp.co.in
Prepare to Create a New Forest witWindows Server 2008 Domains DNS name (domainname.com)
Domains NetBIOS name (domainname)
Whether the new forest will need to support DCs running previoof Windows (affects choice of functional level)
Details about how DNS will be implemented to support AD DS Default: Creating domain controller adds DNS Server role as well
IP configuration for the DC IPv4 and, optionally, IPv6
User name and password of an account in the serversAdministrators group. Account must have a password.
Location for data store (ntds.dit) and SYSVOL Default: %systemroot% (c:\windows)
8/13/2019 01_Intro Active Directory
26/30
ww
w.technocorp.co.in
Install and Configure a Domain Con
Install the Active Directory Domain Services role by using the Server Manager1
Choose the deployment configuration3
Select the additional domain controller features4
Run the Active Directory Domain Services Installation Wizard2
Select the location for the database, log files, and SYSVOL folder5
Configure the Directory Services Restore Mode Administrator Password6
8/13/2019 01_Intro Active Directory
27/30
ww
w.technocorp.co.in
Module Overview
Work with Active Directory Administration Tools
Custom Consoles and Least Privilege
Find Objects in Active Directory
Use Windows PowerShell to Administer Active Directory
8/13/2019 01_Intro Active Directory
28/30
ww
w.technocorp.co.in
Work with Active Directory AdministTools
MMC Console
Active Directory Administration Snap-Ins
What Is the Active Directory Administrative Center?
Find Active Directory Administration Tools
Demonstration: Perform Administrative Tasks by Using Activ
Directory Administrative Tools
8/13/2019 01_Intro Active Directory
29/30
ww
w.technocorp.co.in
MMC ConsoleShow/HideConsoleTree
Show/HideActionsPane
Console
Tree
Details
Pane
Actions
Pane
8/13/2019 01_Intro Active Directory
30/30
ww
w.technocorp.co.in
Active Directory Administration Snap
Active Directory Users and Computers
Manage most common day-to-day objects, including users, groupscomputers, printers, and shared folders
Active Directory Sites and Services
Manage replication, network topology, and related services
Active Directory Domains and Trusts
Configure and maintain trust relationships and the domain and fofunctional level
Active Directory Schema
Administer the Schema