How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation.
-
Upload
aubrey-gordon -
Category
Documents
-
view
229 -
download
5
Transcript of How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation.
How to Succeed with Active Directory
Robert Williams, PhDCEO Secure Logistix Corporation
Presentation Outline
Demystifying Active Directory
Active Directory structure
Interoperability standards adherence
Common sense planning and deployment tips
What is a Directory Service?
Stated simply, a directory service is a listing
that helps organize and locate information
There are two primary components• Directory store for data
• Services that act on the data
Service functions include data replication,
security rule enforcement, data distribution …
and more
What is Active Directory?
Microsoft’s Windows 2000/.NET Server
implementation of directory services
Networked object store and service that
locates and manages resources
Authenticates authorized use of resource
objects by users according to defined
rules
Specific Enterprise Functions of AD
Stores data on every object and its attributes
Security - ACL authentication and domain trusts
Central point for enterprise administration
Mechanism for OS interoperability
Consolidation of divergent directory services
System to replicate object data
Active Directory Relationships
Active Directory treats everything as an object .. users, files, computers, devices, etc.
Access to object anywhere in enterprise is possible (assuming permission)
DNS resolves computer name during object query
LDAP (Lightweight Directory Access Protocol) resolves object locations
MIT Kerberos provides user authentication
Administration of Active Directory
Permits finite hierarchical management
Supports delegation of admin functions
Provides single point for enterprise
management
Supports open standards, APIs and scripting
Provides backward compatibility with
Windows NT and Novell Directory Services
Active Directory Structure
Active Directory divides itself into Logical and
Physical Structures
Logical Structures include components called
domains, trees, forests, organizational units
and the schema (containers for data)
Physical Structures include network defined
sites and domain controllers (data locations &
stores)
Logical Structure
Base components are objects and their
attributes
Schema – mechanism for storing object classes
Objects organized around hierarchical domain
model
Each domain has its own security permissions
and relationship with other domains
Active Directory Domain
Hierarchical infrastructure of networked computers
Domain – Computer systems and network resources that share common security boundary
Domain can cross physical locations and sites
Viewed as grouping of resources that use a common domain name (namespace)
Domain Trees
Multiple domains share common schema,
security relationship, Global Catalog
Identify domain tree by common,
contiguous namespace• Sales.xyz.com and research.xyz.com = child
domains to xyz.com domain
• Xyz.com is root domain for domain tree
Active Directory Domain Tree
Users logon directly to a Windows 2000
Domain tree
Domain.com
Sales.Domain.comProducts.Domain.com
Child Child
Root Domain
Domain Forest
Domain forests created when domain trees
with different namespaces form trust
relationship• Xyz.com & abc.com become tree when trust established
All trees within forest share common Global
Catalog, configuration, and schema
A forest has no unique name but is reference
point between trees
Active Directory Forest
User logs-on to his/her domain, but can
be granted access to any forest resource
Domain.com
Sales.Domain.comProducts.Domain.com
Child Child
Root Domain
Domain2.com
Sales.Domain2.comProducts.Domain2.com
Child Child
Root Domain
Organizational Units (OUs)
Domains can be divided into organizational units
Organizational units can nest within one another
Use OUs to reflect departmental divisions or
units with unique security and administrative
rights
Administrative delegation of resources easy to
apply to OU subsets
Active Directory OU
Organization Units (OU) are sub-
units within a domain
Domain.com
Sales.Domain.comProducts.Domain.com
Child
Root Domain
Sales.Domain.com
OU 1
OU 3 OU 4 OU 5
OU 2 OU 3
OU 3.Sales.Domain.com User logs on to OU3
Child Child
Physical Structure
Mechanism for data communication and
replication
Two primary components• Site – IP subnet network structural component
• Domain controller and Global Catalog – physical
server that stores and replicates data
Active Directory Site
Physical network structure of Active Directory
Purpose: provides method to regulate inter-subnet
traffic
Primary goal: rapid, economical data transmission
Do not define sites by location boundaries; define
by reliable communications
No formal relationship between site and domain …
they can cross each other
Domain Controller (DC)
Server containing copy of Active Directory
All domain controllers are peers that maintain replicated versions of active directory
DC locates resources and authenticates users
Global Catalog is special domain controller that contains abbreviated listing of objects for rapid indexing and locating resources
DC assigned to site at installation
Role of the Domain Controller
Every domain controller maintains
information as part of Active Directory• Data on every object and container object
• Metadata about other domains in tree or forest
• Listing of all domains in tree or forest
• Location of server with Global Catalog
Adherence to Industry Standards
Greater interoperability = open standards adherence• DNS Dynamic Update RFC 2052 2163
• Dynamic Host Configuration Protocol RFC 2131
• Kerberos v5 RFC 1510
• Lightweight Directory Access Protocol RFC 2251 1823
• LDAP Schema RFC 2247 2252 2256
• Simple Network Time Protocol RFC 1769
• Simple Mail Transfer Protocol RFC 821
• TCP/IP RFC 791 793
• X 509 v3 Certificates ISO X.509
Simplifying Planning/Deployment
Active Directory planning/deployment is large
task … but not overwhelming
Start by gathering organizational data
Design domain model on organizational
structure
Design site & domain controller requirements
based upon network connectivity
Gathering Organizational Data
Required data readily available• Start with organization charts to help define domains
& OUs
• Define what data resources are shared & restricted
• Ask HR for employee classifications for group policies
• Establish permissions based on common system needs
• Map physical locations & available connectivity
• Review where organizational shifts likely to occur
Domains vs. Organizational Units
Single domain with OUs is easiest to
manage
Single domain model many not meet
needs in more complex organizations
Generally, size & need for separate
identity are critical decision points
When to Use Domain Trees
Desire for decentralized management
Unique business activities dictate child
domains
Need to establish unique domain wide policies
In large organizations, child domains lend
themselves to localized vs. centralized control
When to Use Domain Forest Model
When separate domain names required
When radically different business activities
exist
When acquired organizations require trusts
during initial merging of operations
Joint venture or partnership arrangements
where resources & data must be shared
Restricting Domain Forest Trusts
Trusts between domains within tree are
bi-directional (transitive)
Trusts in forest established in one
direction at a time; NOT automatically
transitive
Set all trusts in forest explicitly
Conclusion
Active Directory is very powerful tool for
enhancing administration and security
Understanding basic logical & physical
structure is fundamental
Planning & deployment requires work
but not as overwhelming as press
reports
Further Information
Contact Robert Williams• [email protected]
References by Robert Williams
Forthcoming 2002
© Copyright Robert Williams 2002