Hosted by

Getting Started With Active Directory

Or How to Bring Logic to Your Company’s 437 Domains

Hosted by

So Who is This Guy Anyway?

Founder and Chief Scientist

Networks Are Our Lives, Inc!

• Network and Directory services design

• Security

• Network Documentation

• Systems management/monitoring deployment

Author 3 Books and over 100 articles and product reviews

Currently with Network Computing

Contact:Networks Are Our Lives, Inc! hmarks@naol.com

1201 Hudson St. – Suite 1003s (866) 812-7611

Hoboken, NJ 07030 WWW.NAOL.COM

Hosted by

Why You’re Here

Functions and applications driving update

Just keeping up With the market Or the Joneses

Windows NT Timeline Next week – OEM and retail sales end 1/1/2003 4 – Hot-Fixes cost $ 1/1/2004 5 – Live support and hot fixes end 1/1/2005 6 – Online support ends

Easy way to get off helpdesk for 3 days

Hosted by

Our Objectives

Understand Active Directory• Components

• Terminology

• Structure

• Features and benefits

Identify Best Practices

Implementation Tips

Hosted by

Make your life easier!

Our Real Objective

Hosted by

Assumptions

You know:• Windows NT 4.0 Server

• TCP/IP

You don’t know:• Active Directory

• Group Policies Etc

You are:• Planning a Windows 2000+ server rollout

• Have 50-10,000 users to support

• Awake

Hosted by

ADS, then, is...

Extension of and replacement for Windows NT

Domains

The directory service included in Windows 2000+

Based on DNS, LDAP and X.500

Active Directory Services are…• Secure

• Distributed

• Partitioned

• Replicated

Hosted by

Before AD

Windows NT domains• Typical organization had master user domains and

resource domains

• Each domain needed: WINS for NetBIOS names DNS for internet names The browser Email, Application and other directories

Other vendors had true Directory Services:• Banyan Streetalk

• Novell NDS (eDirectory)

Hosted by

Why Active Directory Windows NT domains limited

• Each domain an island

• Trusts Stink Too much work to set up They “Rot Away” Large organizations need thousands

• Not Scalable

• Single master replication If PDC is down, or inaccessible, user’s can’t change

passwords

• No delegation of administration

• Microsoft is forcing us that way Exchange 2000 requires AD

Hosted by

Basic Definitions Forest

A group of domains joined into a common directory. The largest unit in AD.

All domains in forest share Schema, some administrators, 2 way trusts

Tree Domains in a forest with common suffix IE:US.AD.widget.com,EURO.AD.widget.com

Domain Administrative and replication boundary Conceptually the same as Windows NT but now

corresponds to DNS domain Domain controllers hold all the information about objects

(users, groups, computers, Etc.) in their domain

Hosted by

More Definitions Organizational Units (OU) Administrative boundary smaller than domain Contain objects for administrative, organizational

purposes

Site A group of systems with LAN 10Mbps Site configuration effects replication Defined by IP subnets

Global Catalog A server that contains a subset of attributes for all

objects in the forest Think White Pages Includes Email address, domain (so we can ask DC for

more data)

Hosted by

Final Definitions

Kerberos

• A Public Key Infrastructure based authentication system

Schema

• All the attributes for all the objects are defined in the schema

Syntax defines the type of data that can be stored in the

attribute

• The schema definition for each object class identifies all the

possible attributes for the object

• The schema contains a default DACL for each object class

The default ACLs is used when an instance of the object is

created in the directory

Hosted by

AD Design Choices LDAP access

• Protocol was becoming industry standard

X.500 data model• Object hierarchy permits subtree-scoped queries • Schema defines attributes and object classes

Attribute-level access control • Required for data sharing between applications

DNS-integrated object naming• Enables a globally unique namespace based on the de facto Internet

locator service

Security• Multiple authentication paths, one authorization model

In-place or side-by-side upgrade• Learned from Novell: offer upgrade flexibility!

Hosted by

Replication Design ChoicesMulti-master

• Need local password update

• Approximately “last writer wins”

• Eventual convergence

Attribute granularity• When attribute changes, replicate entire new value

• Reduces network traffic and lost updates versus object granularity

State-based• Send current state not a log

• Predictable storage overhead, needed anyway for full sync

• Implies tombstones for deletes

Transitive• Communicate update to somebody not everybody

• Big win with mixed link speed - once per slow link

• Automated topology generation (“KCC”)

Hosted by

Logical Structure Relationships

Global CatalogGlobal CatalogForest

Chevy.GM.COM

Trucks.chevy.gm.com

SAAB.CO.SA

NA.SAAB.CO.SA

OU

OU OU OU OU

OUOU

OU

OUOUOUOU

OU OU

OU

ObjectsSchema

Tree

Tree

Hosted by

So What do We Get?

True Multi-Domain Integration

Transitive Trusts

Global Catalog

Group Policy Objects

Controllable Replication

Directory Security

Granular Administration

Hosted by

When to Use Multiple Trees

Public view requires different root domain

names• IE: Kraft Foods doesn’t want .PhillipMorris.com suffix

Politics require divisions to keep their

names

There is no technical advantage to

multiple trees

Hosted by

When to use multiple forests

When, and only when, the service owners of

multiple trees don’t trust each other

Multiple forest implementations do NOT:• Share a common global catalog

No exchange GAL

• Trust each other

You can set up old style trusts between domains in

different forests

Rule of thumb: 1 forest per CIO

Hosted by

Domain Controller Roles

Flexible Single Master Operations (FSMOs)

• 1 Per Forest:

Domain Naming Master

Schema Master

Time Reference Server

• 1 Per Domain:

PDC Emulator

RID (Relative ID)Master

Infrastructure Master

KCC/ ISTG (generates inter-site topology)

ISM (inter-site messaging)

Global catalog

Hosted by

Reasons for Creating Domains

Physical location

Network traffic

International differences

Administrative considerations• All users share restrictions (Password Length Etc)

Politics

NOT: Defining spheres of administration (OUs can

do that)

Hosted by

Break sponsored by

Hosted by

What are OUs

They are distinct units of administration

that can be delegated

They are containers that organize

objects and other containers

Examples are geographic locations,

projects, cost centers, business units,

and divisions

Hosted by

What OUs Can Contain

UsersUsersPrintersPrinters

ComputersComputers

Other OUsOther OUsSecurity PoliciesSecurity Policies

ApplicationsApplications

GroupsGroups

OUOUOUOU

OUOUOUOU

File SharesFile Shares

Hosted by

Reasons for Creating OUs

Enhancing administrative control

Maintaining a consistent number of objects

Controlling application of group policy objects

Holding other OUs

Replacing windows NT 4.0 resource domains

Hosted by

Remember:Domains are Expensive

Every domain Must have a

DC

Most should have 2-3 or

more

Logins require connectivity

to home DC

Logins more traffic than

replication

Hosted by

Hierarchical OU Models

Geographic

Object-based

Cost center

Project-based

Division or business unit

Administration

Hosted by

Define an OU Naming Convention

OUs are not part of the DNS namespace

OUs are identified by LDAP and canonical

names only

While domains are difficult to reorganize,

OUs within domains can be easily

renamed or moved

Hosted by

OU1OU1 DACL for “Group” objects

Jill can add usersJill can add users

Jill can add usersJill can add users

OU2OU2 DACL for “Group” objects

John can add usersJohn can add users

John can add usersJohn can add users

Group object

Group object

Delegating Administration

The ability to set ACLs for contained objects at OU level means that you can define “who can do what” to a particular object in the OU• Groups created in OU1 can be administered by Jill

• Groups created in OU2 can be administered by John

Hosted by

Delegation of Control Wizard

Good news• There is a delegation of control wizard

Bad news• There is no undelegation of control wizard

After of delegation of control, the users must be given

visibility permissions to the objects/containers they

control

Learn to edit and document ACL’s

Only delegate control to groups, not users

Hosted by

Delegation of Control Wizard

Hosted by

ADS Security Features - Review

Objects have an Access Control List (ACL)

Permissions can be delegated to users by a higher

authority

Inheritance allows permissions to be propagated

to all objects in child containers

Trusts are established among all domains in an

ADS forest• Explicit trusts can be established between domains in foreign

forests or legacy NT domains

Hosted by

Group Types

Security Groups• Allow you to assign permissions

• Allow you to use groups as an e-mail distribution list

• Windows NT uses only security groups

Distribution Groups• Do not allow you to assign permissions

• Allow you to use groups as an e-mail distribution list

Hosted by

Rules for Group Membership

Universal groups only available in native mode

GroupGroup Group membersGroup members Can be a member ofCan be a member ofCan be a member ofCan be a member of

Global User accounts and global

groups from the same domain

Universal and domain local groupsin any domain

Global groups in the same domain

Universal and domain local groupsin any domain

Global groups in the same domain

Domain Local

User accounts, universal, and global groups from any domain

Domain local groups from the same domain

Universal Universal User accounts, universal, and global groups from any domain

User accounts, universal, and global groups from any domain

Domain local groups in thesame domain

Domain local groups in thesame domain

Domain local or universal groupsin any domain

Domain local or universal groupsin any domain

Hosted by

Group Scopes

Domain Local GroupDomain Local GroupDomain Local GroupDomain Local Group

Open membership Use for access to resources in one

domain

Open membership Use for access to resources in one

domain

Global GroupGlobal GroupGlobal GroupGlobal Group

Limited membership Use for access to resources in any

domain

Limited membership Use for access to resources in any

domain

Universal GroupUniversal GroupUniversal GroupUniversal Group

Open membership Use for access to resources in any

domain

Open membership Use for access to resources in any

domain

Hosted by

How does AD use DNS?

Windows 2000 uses DNS as a domain locator and

name-to-IP translator• Domain controllers are registered in DNS

• Clients query DNS to locate DCs

Analogous to Internet mail (the MX record)

Better-scaling long-term replacement for

NetBIOS Name Services (aka WINS)

Requires DNS servers that support Dynamic

Updates (Windows or Bind 8+)

Hosted by

Migrating to AD

Single Domain• Migrate in place

• Clean up Later

2-3 Domains• Migrate “root” domain in place

• Use ADMT for additional domains You’re stuck with SIDHistory

Bigger Now• Redesign from scratch

• Use 3rd party tools from Aelita or NetIQ

Hosted by

Audience Response

Question?

Hosted by