COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced...
-
Upload
rigoberto-bartlett -
Category
Documents
-
view
219 -
download
5
Transcript of COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced...
![Page 1: COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still.](https://reader033.fdocuments.net/reader033/viewer/2022051614/551b3960550346cf5a8b6558/html5/thumbnails/1.jpg)
COMP091 OS1
Active Directory
![Page 2: COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still.](https://reader033.fdocuments.net/reader033/viewer/2022051614/551b3960550346cf5a8b6558/html5/thumbnails/2.jpg)
Some History
• Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still foreign)
– No central authentication
– Users invent workgroup names freely
• Workgroup names really just make it easier to find computers on the network
– Accounting
– Payroll
• No effective security role
![Page 3: COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still.](https://reader033.fdocuments.net/reader033/viewer/2022051614/551b3960550346cf5a8b6558/html5/thumbnails/3.jpg)
Windows Domains
• More or less simultaneously, NT introduced real networking (tcp/ip)
• And windows domain concept
– Name resolution still based on primitive broadcast protocols
– And self-configuring WINS servers
• But a central directory was introduced to control access to domain resources and to authenticate users
![Page 4: COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still.](https://reader033.fdocuments.net/reader033/viewer/2022051614/551b3960550346cf5a8b6558/html5/thumbnails/4.jpg)
Domain Controllers• With central authentication and access control, there
needs to be a central database
• Primary Domain Controllers and Backup Domain Controllers served that function in early NT systems
• Notice that centralised authentication calls for
– Authentication mechanism
– A database
– A backup authentication mechanism
– A database replication mechanism
• Domain Controllers offered primitive versions of these functions
![Page 5: COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still.](https://reader033.fdocuments.net/reader033/viewer/2022051614/551b3960550346cf5a8b6558/html5/thumbnails/5.jpg)
NDS
• While windows was deploying NT Domain controller based networking, the competition was way ahead
• Novel's NDS had
– Flexible and extensible LDAP based directory
– Sophisticated replication strategy
– Authentication service
– Fine grained ACL
– All types of resources in the directory• Printers, computers, users, groups
![Page 6: COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still.](https://reader033.fdocuments.net/reader033/viewer/2022051614/551b3960550346cf5a8b6558/html5/thumbnails/6.jpg)
NDS
• MS response originally called NTDS
– Maybe too similar to NDS
• Now called Active Directory
![Page 7: COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still.](https://reader033.fdocuments.net/reader033/viewer/2022051614/551b3960550346cf5a8b6558/html5/thumbnails/7.jpg)
Active Directory• Active directory includes
– Flexible and extensible LDAP based directory
– Sophisticated replication strategy
– Authentication service
– Fine grained ACL
– All types of resources in the directory
• Printers, computers, users, groups• DNS based computer names
– But WINS servers still required
![Page 8: COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still.](https://reader033.fdocuments.net/reader033/viewer/2022051614/551b3960550346cf5a8b6558/html5/thumbnails/8.jpg)
AD Data Structures• NT PDC/BDC intended to serve one domain
• So Accounting might have one, and Payroll too
• AD wants a unified database
– So an accounting login can have access to payroll resources
• AD extends this functionality to globally distributed organisations
• Geographically disparate AD installations can each house a partition of an enterprise AD database
– But trust relationships can be enterprise wide
![Page 9: COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still.](https://reader033.fdocuments.net/reader033/viewer/2022051614/551b3960550346cf5a8b6558/html5/thumbnails/9.jpg)
AD Trust Relationships
• AD domains can “trust” other active directory domains
• This really means that an AD domain can trust the users in another domain
• Trusted users from the other domain can be given access to resources in the trusting domain
• Accounting users can be given access to files owned by the Payroll Department
• This is only possible because the two domains are part of the same AD database
![Page 10: COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still.](https://reader033.fdocuments.net/reader033/viewer/2022051614/551b3960550346cf5a8b6558/html5/thumbnails/10.jpg)
Objects and Attributes• AD database contains information on many
different types of things
• Collectively called objects
• Some objects can be “containers” of other objects
– A domain can contain sub-domains
– Producing a hierarchical tree-like structure
• Objects are defined by values of attributes
• Objects of the same “class” have same attributes
– But different attribute values
![Page 11: COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still.](https://reader033.fdocuments.net/reader033/viewer/2022051614/551b3960550346cf5a8b6558/html5/thumbnails/11.jpg)
Active DirectoryObjects and Attributes
![Page 12: COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still.](https://reader033.fdocuments.net/reader033/viewer/2022051614/551b3960550346cf5a8b6558/html5/thumbnails/12.jpg)
Forests and Trees
• Container objects contain other objects, which may in turn contain objects
• The resulting hierarchy is called a tree, with root objects, branch objects and leaf objects
• An AD database can contain more than one tree
• The collection of trees in an AD database is called a Forest
![Page 13: COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still.](https://reader033.fdocuments.net/reader033/viewer/2022051614/551b3960550346cf5a8b6558/html5/thumbnails/13.jpg)
Domain Tree
![Page 14: COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still.](https://reader033.fdocuments.net/reader033/viewer/2022051614/551b3960550346cf5a8b6558/html5/thumbnails/14.jpg)
Forest of Trees
![Page 15: COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still.](https://reader033.fdocuments.net/reader033/viewer/2022051614/551b3960550346cf5a8b6558/html5/thumbnails/15.jpg)
Organizational Units
• An alternative to breaking a domain down into sub-domains is to establish organizational units
– Think of departments
• These are also containers
– For users, files, computers etc.
• Administration can be delegated to an OU administrator
![Page 16: COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still.](https://reader033.fdocuments.net/reader033/viewer/2022051614/551b3960550346cf5a8b6558/html5/thumbnails/16.jpg)
OU Container
![Page 17: COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still.](https://reader033.fdocuments.net/reader033/viewer/2022051614/551b3960550346cf5a8b6558/html5/thumbnails/17.jpg)
Trusts
• Implicit Two-Way Transitive Trust
– Parent and child domains• Automatic
– If Domain A trusts Domain B, and Domain B trusts Domain C, then Domain A trusts Domain C
– Hence all domains in tree trust each other
– Limited implicit trust between roots of trees in a forest
![Page 18: COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still.](https://reader033.fdocuments.net/reader033/viewer/2022051614/551b3960550346cf5a8b6558/html5/thumbnails/18.jpg)
Trusts
• Explicit One-Way Non-transitive Trust
– Must be declared
– Domains in different trees or forests, or NT domains
– Only applies to explicitly declared domains
![Page 19: COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still.](https://reader033.fdocuments.net/reader033/viewer/2022051614/551b3960550346cf5a8b6558/html5/thumbnails/19.jpg)
Two Types ofTrust Relationships
![Page 20: COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still.](https://reader033.fdocuments.net/reader033/viewer/2022051614/551b3960550346cf5a8b6558/html5/thumbnails/20.jpg)
Trusting Everyone -- Replication
• In order to trust users in another domain, there needs to be access to the other domain's user list
• Some domain data is replicated to the global catalog
• Some domain controllers are designated as Global Catalog Servers
• The global catalog is replicated to all Global Catalog Servers
• Access to resources outside of your domain requires access to a global catalog server
![Page 21: COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still.](https://reader033.fdocuments.net/reader033/viewer/2022051614/551b3960550346cf5a8b6558/html5/thumbnails/21.jpg)
Replication for Redundancy• Global catalog is replicated to ensure global access
• Entire domain database is replicated to ensure continuous availability
• Multiple controllers for each domain
• Multiple global catalog servers in the forest
• Replication configuration is complex
• Allows for fast replication of some data
– Within site
– New users
• Slower replication of other data
– Across slower links
– Less critical information
![Page 22: COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still.](https://reader033.fdocuments.net/reader033/viewer/2022051614/551b3960550346cf5a8b6558/html5/thumbnails/22.jpg)
Assigning Permissions - Groups
• Access to resources can be assigned to each user individually
– Too much administrative overhead
• Instead, users can be assigned to groups
• And permissions then granted to the group
• Groups can contain groups
• Users get their own rights, plus the rights of their group, plus the rights of groups their group is in
![Page 23: COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still.](https://reader033.fdocuments.net/reader033/viewer/2022051614/551b3960550346cf5a8b6558/html5/thumbnails/23.jpg)
Types of Groups• Global Group
– Members restricted to local domain
• Domain Local Group
– Rights restricted to resources in local domain
• Universal Group
– Any users, any resource
• Default groups
– Domain Admins
– Domain Guests
– Domain Users
– etc.
![Page 24: COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still.](https://reader033.fdocuments.net/reader033/viewer/2022051614/551b3960550346cf5a8b6558/html5/thumbnails/24.jpg)
Group Policy
• Not the same groups as used to assign permissions
• Policy group is either:
– Computer, Site, Domain or OU
• Policies contain user and computer related configuration information
• Can apply to any arbitrary set of users if the set of users is a complete domain or OU
• But user is in only one OU, (unless contained in tree) so only one policy will apply
– Which sometimes makes sense
![Page 25: COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still.](https://reader033.fdocuments.net/reader033/viewer/2022051614/551b3960550346cf5a8b6558/html5/thumbnails/25.jpg)
Group Policy Objects
• Create specific desktop configurations for particular groups of users.
• Collections of group policy settings.
• Computer has one local GPO and any number of AD-based GPOs.
• Local GPO can be overridden by other GPOs,
• Local GPO is the least influential in an Active Directory environment.
![Page 26: COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still.](https://reader033.fdocuments.net/reader033/viewer/2022051614/551b3960550346cf5a8b6558/html5/thumbnails/26.jpg)
Group Policy Priority
• Local GPO:
– Computer has one GPO stored locally.
• Site GPOs:
– GPOs linked to site are processed next
– Administrator specifies the order of GPOs linked to a site.
![Page 27: COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still.](https://reader033.fdocuments.net/reader033/viewer/2022051614/551b3960550346cf5a8b6558/html5/thumbnails/27.jpg)
Group Policy Priority
• Domain GPOs:
– Domain-linked GPOs are processed next
– Administrator specifies the order of GPOs linked to a domain.
• OU GPOs:
– GPOs linked to the OU highest in the Active Directory hierarchy are processed first, followed by GPOs linked to its child OU, and so on
![Page 28: COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still.](https://reader033.fdocuments.net/reader033/viewer/2022051614/551b3960550346cf5a8b6558/html5/thumbnails/28.jpg)
![Page 29: COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still.](https://reader033.fdocuments.net/reader033/viewer/2022051614/551b3960550346cf5a8b6558/html5/thumbnails/29.jpg)
Group Policy Settings
• Some apply to users
– Based on user's domain and OUs
– Applied when user logs in
• Some apply to computer
– Based on computer's domain and OUs
– Applied when the OS initializes
• Include Software Settings, Windows Settings, and Administrative Templates
![Page 30: COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still.](https://reader033.fdocuments.net/reader033/viewer/2022051614/551b3960550346cf5a8b6558/html5/thumbnails/30.jpg)
GPO Contents
• Scripts
– Logon/Logoff and Startup/Shutdown
• Security Settings
– Applied after security template
• Other software settings e.g. IE parameters
• Administrative Templates
– HKEY_LOCAL_MACHINE (HKLM)
– HKEY_CURRENT_USER (HKCU)
![Page 31: COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still.](https://reader033.fdocuments.net/reader033/viewer/2022051614/551b3960550346cf5a8b6558/html5/thumbnails/31.jpg)
![Page 32: COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still.](https://reader033.fdocuments.net/reader033/viewer/2022051614/551b3960550346cf5a8b6558/html5/thumbnails/32.jpg)
Aligning Policy Groups with Security Groups
• Policy groups are based on Domains and OUs
• Security Groups can be arbitrary and users can belong to multiple security groups
• To have GPOs for a security group
– Creat GPO for each group
– Apply all GPOs at top level (Domain)
– Grant security group read access to the GPO that should be applied to its members
![Page 33: COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still.](https://reader033.fdocuments.net/reader033/viewer/2022051614/551b3960550346cf5a8b6558/html5/thumbnails/33.jpg)
GPO for Security Group
![Page 34: COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still.](https://reader033.fdocuments.net/reader033/viewer/2022051614/551b3960550346cf5a8b6558/html5/thumbnails/34.jpg)
Resources
• Old but authoritative
– http://technet.microsoft.com/en-us/library/bb742424.aspx
• A tutorial
– http://searchwindowsserver.techtarget.com/tutorial/Active-Directory-Tutorial
• A collection
– http://www.petri.co.il/ad.htm
• Wikipedia
– http://en.wikipedia.org/wiki/Active_Directory