COMP091 OS1

Active Directory

Some History

• Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still foreign)

– No central authentication

– Users invent workgroup names freely

• Workgroup names really just make it easier to find computers on the network

– Accounting

– Payroll

• No effective security role

Windows Domains

• More or less simultaneously, NT introduced real networking (tcp/ip)

• And windows domain concept

– Name resolution still based on primitive broadcast protocols

– And self-configuring WINS servers

• But a central directory was introduced to control access to domain resources and to authenticate users

Domain Controllers• With central authentication and access control, there

needs to be a central database

• Primary Domain Controllers and Backup Domain Controllers served that function in early NT systems

• Notice that centralised authentication calls for

– Authentication mechanism

– A database

– A backup authentication mechanism

– A database replication mechanism

• Domain Controllers offered primitive versions of these functions

NDS

• While windows was deploying NT Domain controller based networking, the competition was way ahead

• Novel's NDS had

– Flexible and extensible LDAP based directory

– Sophisticated replication strategy

– Authentication service

– Fine grained ACL

– All types of resources in the directory• Printers, computers, users, groups

NDS

• MS response originally called NTDS

– Maybe too similar to NDS

• Now called Active Directory

Active Directory• Active directory includes

– Flexible and extensible LDAP based directory

– Sophisticated replication strategy

– Authentication service

– Fine grained ACL

– All types of resources in the directory

• Printers, computers, users, groups• DNS based computer names

– But WINS servers still required

AD Data Structures• NT PDC/BDC intended to serve one domain

• So Accounting might have one, and Payroll too

• AD wants a unified database

– So an accounting login can have access to payroll resources

• AD extends this functionality to globally distributed organisations

• Geographically disparate AD installations can each house a partition of an enterprise AD database

– But trust relationships can be enterprise wide

AD Trust Relationships

• AD domains can “trust” other active directory domains

• This really means that an AD domain can trust the users in another domain

• Trusted users from the other domain can be given access to resources in the trusting domain

• Accounting users can be given access to files owned by the Payroll Department

• This is only possible because the two domains are part of the same AD database

Objects and Attributes• AD database contains information on many

different types of things

• Collectively called objects

• Some objects can be “containers” of other objects

– A domain can contain sub-domains

– Producing a hierarchical tree-like structure

• Objects are defined by values of attributes

• Objects of the same “class” have same attributes

– But different attribute values

Active DirectoryObjects and Attributes

Forests and Trees

• Container objects contain other objects, which may in turn contain objects

• The resulting hierarchy is called a tree, with root objects, branch objects and leaf objects

• An AD database can contain more than one tree

• The collection of trees in an AD database is called a Forest

Domain Tree

Forest of Trees

Organizational Units

• An alternative to breaking a domain down into sub-domains is to establish organizational units

– Think of departments

• These are also containers

– For users, files, computers etc.

• Administration can be delegated to an OU administrator

OU Container

Trusts

• Implicit Two-Way Transitive Trust

– Parent and child domains• Automatic

– If Domain A trusts Domain B, and Domain B trusts Domain C, then Domain A trusts Domain C

– Hence all domains in tree trust each other

– Limited implicit trust between roots of trees in a forest

Trusts

• Explicit One-Way Non-transitive Trust

– Must be declared

– Domains in different trees or forests, or NT domains

– Only applies to explicitly declared domains

Two Types ofTrust Relationships

Trusting Everyone -- Replication

• In order to trust users in another domain, there needs to be access to the other domain's user list

• Some domain data is replicated to the global catalog

• Some domain controllers are designated as Global Catalog Servers

• The global catalog is replicated to all Global Catalog Servers

• Access to resources outside of your domain requires access to a global catalog server

Replication for Redundancy• Global catalog is replicated to ensure global access

• Entire domain database is replicated to ensure continuous availability

• Multiple controllers for each domain

• Multiple global catalog servers in the forest

• Replication configuration is complex

• Allows for fast replication of some data

– Within site

– New users

• Slower replication of other data

– Across slower links

– Less critical information

Assigning Permissions - Groups

• Access to resources can be assigned to each user individually

– Too much administrative overhead

• Instead, users can be assigned to groups

• And permissions then granted to the group

• Groups can contain groups

• Users get their own rights, plus the rights of their group, plus the rights of groups their group is in

Types of Groups• Global Group

– Members restricted to local domain

• Domain Local Group

– Rights restricted to resources in local domain

• Universal Group

– Any users, any resource

• Default groups

– Domain Admins

– Domain Guests

– Domain Users

– etc.

Group Policy

• Not the same groups as used to assign permissions

• Policy group is either:

– Computer, Site, Domain or OU

• Policies contain user and computer related configuration information

• Can apply to any arbitrary set of users if the set of users is a complete domain or OU

• But user is in only one OU, (unless contained in tree) so only one policy will apply

– Which sometimes makes sense

Group Policy Objects

• Create specific desktop configurations for particular groups of users.

• Collections of group policy settings.

• Computer has one local GPO and any number of AD-based GPOs.

• Local GPO can be overridden by other GPOs,

• Local GPO is the least influential in an Active Directory environment.

Group Policy Priority

• Local GPO:

– Computer has one GPO stored locally.

• Site GPOs:

– GPOs linked to site are processed next

– Administrator specifies the order of GPOs linked to a site.

Group Policy Priority

• Domain GPOs:

– Domain-linked GPOs are processed next

– Administrator specifies the order of GPOs linked to a domain.

• OU GPOs:

– GPOs linked to the OU highest in the Active Directory hierarchy are processed first, followed by GPOs linked to its child OU, and so on

Group Policy Settings

• Some apply to users

– Based on user's domain and OUs

– Applied when user logs in

• Some apply to computer

– Based on computer's domain and OUs

– Applied when the OS initializes

• Include Software Settings, Windows Settings, and Administrative Templates

GPO Contents

• Scripts

– Logon/Logoff and Startup/Shutdown

• Security Settings

– Applied after security template

• Other software settings e.g. IE parameters

• Administrative Templates

– HKEY_LOCAL_MACHINE (HKLM)

– HKEY_CURRENT_USER (HKCU)

Aligning Policy Groups with Security Groups

• Policy groups are based on Domains and OUs

• Security Groups can be arbitrary and users can belong to multiple security groups

• To have GPOs for a security group

– Creat GPO for each group

– Apply all GPOs at top level (Domain)

– Grant security group read access to the GPO that should be applied to its members

GPO for Security Group

Resources

• Old but authoritative

– http://technet.microsoft.com/en-us/library/bb742424.aspx

• A tutorial

– http://searchwindowsserver.techtarget.com/tutorial/Active-Directory-Tutorial

• A collection

– http://www.petri.co.il/ad.htm

• Wikipedia

– http://en.wikipedia.org/wiki/Active_Directory