Скачать презентацию Hosted by Getting Started With Active Directory Or Скачать презентацию Hosted by Getting Started With Active Directory Or

36271961fb2f2068c0841d21775cf489.ppt

  • Количество слайдов: 37

Hosted by Getting Started With Active Directory Or How to Bring Logic to Your Hosted by Getting Started With Active Directory Or How to Bring Logic to Your Company’s 437 Domains

Hosted by So Who is This Guy Anyway? l Founder and Chief Scientist Networks Hosted by So Who is This Guy Anyway? l Founder and Chief Scientist Networks Are Our Lives, Inc! • Network and Directory services design • Security • Network Documentation • Systems management/monitoring deployment l Author § 3 Books and over 100 articles and product reviews § Currently with Network Computing l Contact: Networks Are Our Lives, Inc! [email protected] com 1201 Hudson St. – Suite 1003 s (866) 812 -7611 Hoboken, NJ 07030 WWW. NAOL. COM

Hosted by Why You’re Here l Functions and applications driving update l Just keeping Hosted by Why You’re Here l Functions and applications driving update l Just keeping up § With the market § Or the Joneses l Windows NT Timeline § § Next week – OEM and retail sales end 1/1/2003 4 – Hot-Fixes cost $ 1/1/2004 5 – Live support and hot fixes end 1/1/2005 6 – Online support ends l Easy way to get off helpdesk for 3 days

Hosted by Our Objectives l Understand Active Directory • Components • Terminology • Structure Hosted by Our Objectives l Understand Active Directory • Components • Terminology • Structure • Features and benefits l Identify Best Practices l Implementation Tips

Hosted by Our Real Objective Make your life easier! Hosted by Our Real Objective Make your life easier!

Hosted by Assumptions l You know: • Windows NT 4. 0 Server • TCP/IP Hosted by Assumptions l You know: • Windows NT 4. 0 Server • TCP/IP l You don’t know: • Active Directory • Group Policies Etc l You are: • Planning a Windows 2000+ server rollout • Have 50 -10, 000 users to support

Hosted by ADS, then, is. . . l Extension of and replacement for Windows Hosted by ADS, then, is. . . l Extension of and replacement for Windows NT Domains l The directory service included in Windows 2000+ l Based on DNS, LDAP and X. 500 l Active Directory Services are… • Secure • Distributed

Hosted by Before AD l Windows NT domains • Typical organization had master user Hosted by Before AD l Windows NT domains • Typical organization had master user domains and resource domains • Each domain needed: § WINS for Net. BIOS names § DNS for internet names § The browser § Email, Application and other directories l Other vendors had true Directory Services: • Banyan Streetalk • Novell NDS (e. Directory)

Hosted by Why Active Directory l Windows NT domains limited • Each domain an Hosted by Why Active Directory l Windows NT domains limited • Each domain an island • Trusts Stink • • § Too much work to set up § They “Rot Away” § Large organizations need thousands Not Scalable Single master replication § If PDC is down, or inaccessible, user’s can’t change passwords No delegation of administration Microsoft is forcing us that way § Exchange 2000 requires AD

Hosted by Basic Definitions l Forest § A group of domains joined into a Hosted by Basic Definitions l Forest § A group of domains joined into a common directory. The largest unit in AD. § All domains in forest share Schema, some administrators, 2 way trusts l Tree § Domains in a forest with common suffix § IE: US. AD. widget. com, EURO. AD. widget. com l Domain § Administrative and replication boundary § Conceptually the same as Windows NT but now corresponds to DNS domain § Domain controllers hold all the information about objects (users, groups, computers, Etc. ) in their domain

Hosted by More Definitions l Organizational Units (OU) § Administrative boundary smaller than domain Hosted by More Definitions l Organizational Units (OU) § Administrative boundary smaller than domain § Contain objects for administrative, organizational purposes l Site § A group of systems with LAN 10 Mbps § Site configuration effects replication § Defined by IP subnets l Global Catalog § A server that contains a subset of attributes for all objects in the forest § Think White Pages § Includes Email address, domain (so we can ask DC for more data)

Hosted by Final Definitions l Kerberos • A Public Key Infrastructure based authentication system Hosted by Final Definitions l Kerberos • A Public Key Infrastructure based authentication system l Schema • All the attributes for all the objects are defined in the schema § Syntax defines the type of data that can be stored in the attribute • The schema definition for each object class identifies all the possible attributes for the object • The schema contains a default DACL for each object class § The default ACLs is used when an instance of the object

Hosted by AD Design Choices l LDAP access • Protocol was becoming industry standard Hosted by AD Design Choices l LDAP access • Protocol was becoming industry standard l X. 500 data model • Object hierarchy permits subtree-scoped queries • Schema defines attributes and object classes l Attribute-level access control • Required for data sharing between applications l DNS-integrated object naming • Enables a globally unique namespace based on the de facto Internet locator service l Security • Multiple authentication paths, one authorization model l In-place or side-by-side upgrade • Learned from Novell: offer upgrade flexibility!

Hosted by Replication Design Choices l Multi-master • Need local password update • Approximately Hosted by Replication Design Choices l Multi-master • Need local password update • Approximately “last writer wins” • Eventual convergence l Attribute granularity • When attribute changes, replicate entire new value • Reduces network traffic and lost updates versus object granularity l State-based • Send current state not a log • Predictable storage overhead, needed anyway for full sync • Implies tombstones for deletes l Transitive • Communicate update to somebody not everybody • Big win with mixed link speed - once per slow link

Hosted by Logical Structure Relationships Forest SAAB. CO. SA Tree Chevy. GM. COM NA. Hosted by Logical Structure Relationships Forest SAAB. CO. SA Tree Chevy. GM. COM NA. SAAB. CO. SA Tree Trucks. chevy. gm. com OU OU OU OU Objects Schema Global Catalog

Hosted by So What do We Get? l True Multi-Domain Integration l Transitive Trusts Hosted by So What do We Get? l True Multi-Domain Integration l Transitive Trusts l Global Catalog l Group Policy Objects l Controllable Replication l Directory Security l Granular Administration

Hosted by When to Use Multiple Trees l Public view requires different root domain Hosted by When to Use Multiple Trees l Public view requires different root domain names • IE: Kraft Foods doesn’t want. Phillip. Morris. com suffix l Politics require divisions to keep their names l There is no technical advantage to multiple trees

Hosted by When to use multiple forests l When, and only when, the service Hosted by When to use multiple forests l When, and only when, the service owners of multiple trees don’t trust each other l Multiple forest implementations do NOT: • Share a common global catalog § No exchange GAL • Trust each other § You can set up old style trusts between domains in different forests l Rule of thumb: 1 forest per CIO

Hosted by Domain Controller Roles l Flexible Single Master Operations (FSMOs) • 1 Per Hosted by Domain Controller Roles l Flexible Single Master Operations (FSMOs) • 1 Per Forest: § Domain Naming Master § Schema Master § Time Reference Server • 1 Per Domain: § PDC Emulator § RID (Relative ID)Master § Infrastructure Master l KCC/ ISTG (generates inter-site topology) l ISM (inter-site messaging)

Hosted by Reasons for Creating Domains l Physical location l Network traffic l International Hosted by Reasons for Creating Domains l Physical location l Network traffic l International differences l Administrative considerations • All users share restrictions (Password Length Etc) l Politics l NOT: Defining spheres of administration

Hosted by Break sponsored by Hosted by Break sponsored by

Hosted by What are OUs l They are distinct units of administration that can Hosted by What are OUs l They are distinct units of administration that can be delegated l They are containers that organize objects and other containers l Examples are geographic locations, projects, cost centers, business units, and divisions

Hosted by What OUs Can Contain Users Computers Printers Group s Applications OU OU Hosted by What OUs Can Contain Users Computers Printers Group s Applications OU OU Other OUs Security Policies File Shares

Hosted by Reasons for Creating OUs l Enhancing administrative control l Maintaining a consistent Hosted by Reasons for Creating OUs l Enhancing administrative control l Maintaining a consistent number of objects l Controlling application of group policy objects l Holding other OUs l Replacing windows NT 4. 0 resource

Hosted by Remember: Domains are Expensive l Every domain Must have a DC l Hosted by Remember: Domains are Expensive l Every domain Must have a DC l Most should have 2 -3 or more l Logins require connectivity to home DC l Logins more traffic than replication

Hosted by Hierarchical OU Models l Geographic l Object-based l Cost center l Project-based Hosted by Hierarchical OU Models l Geographic l Object-based l Cost center l Project-based l Division or business unit l Administration

Hosted by Define an OU Naming Convention l OUs are not part of the Hosted by Define an OU Naming Convention l OUs are not part of the DNS namespace l OUs are identified by LDAP and canonical names only l While domains are difficult to reorganize, OUs within domains can be easily renamed or moved

Hosted by Delegating Administration OU 1 DACL for “Group” objects Jill can add users Hosted by Delegating Administration OU 1 DACL for “Group” objects Jill can add users OU 2 DACL for “Group” objects John can add users Jill can add users John can add users Group object l The ability to set ACLs for contained objects at OU level means that you can define “who can do what” to a particular object in the OU • Groups created in OU 1 can be administered by Jill • Groups created in OU 2 can be administered by John

Hosted by Delegation of Control Wizard l Good news • There is a delegation Hosted by Delegation of Control Wizard l Good news • There is a delegation of control wizard l Bad news • There is no undelegation of control wizard l After of delegation of control, the users must be given visibility permissions to the objects/containers they control l Learn to edit and document ACL’s

Hosted by Delegation of Control Wizard Hosted by Delegation of Control Wizard

Hosted by ADS Security Features - Review l Objects have an Access Control List Hosted by ADS Security Features - Review l Objects have an Access Control List (ACL) l Permissions can be delegated to users by a higher authority l Inheritance allows permissions to be propagated to all objects in child containers l Trusts are established among all domains in an ADS forest

Hosted by Group Types l Security Groups • Allow you to assign permissions • Hosted by Group Types l Security Groups • Allow you to assign permissions • Allow you to use groups as an e-mail distribution list • Windows NT uses only security groups l Distribution Groups • Do not allow you to assign permissions • Allow you to use groups as an e-mail distribution list

Hosted by Rules for Group Membership Group members Can be a member of Group Hosted by Rules for Group Membership Group members Can be a member of Group n Global User accounts and global n Universal and domain local group in groups from the same domain any domain n Global groups in the same domain User accounts, universal, and global groups from any domain n Domain local groups in the Domain Local n Domain local groups from the same domain n Universal n User accounts, universal, and n Domain local or universal groups global groups from any domain in any domain l Universal groups only available in native mode

Hosted by Group Scopes Global Group n Limited membership n Use for access to Hosted by Group Scopes Global Group n Limited membership n Use for access to resources in any domain Domain Local Group n Open membership n Use for access to resources in one domain Universal Group n n Open membership Use for access to resources in any domain

Hosted by How does AD use DNS? l Windows 2000 uses DNS as a Hosted by How does AD use DNS? l Windows 2000 uses DNS as a domain locator and name-to-IP translator • Domain controllers are registered in DNS • Clients query DNS to locate DCs § Analogous to Internet mail (the MX record) l Better-scaling long-term replacement for Net. BIOS Name Services (aka WINS) l Requires DNS servers that support

Hosted by Migrating to AD l Single Domain • Migrate in place • Clean Hosted by Migrating to AD l Single Domain • Migrate in place • Clean up Later l 2 -3 Domains • Migrate “root” domain in place • Use ADMT for additional domains § You’re stuck with SIDHistory l Bigger Now • Redesign from scratch

Hosted by Audience Response Question? Hosted by Audience Response Question?