What s Active Directory?

What’s Active Directory?

Part 1

Seung Joo Baek

Sr. Technical Evangelist

Microsoft Korea

Single Sign On (SSO)

•

Authentication

•

Authorization

•

Right

•

Permission

•

Encryption

•

Symmetric Key

•

Asymmetric Key

•

PKI

What is Directory?

•

Microsoft – Active Directory

•

Novell – eDirectory

•

UNIX – OpenLDAP

Domain vs. Workgroup

•

Where can I AUTHENTICATE?

•

IDentity Provider (IDP)

•

Where can I AUTHORIZE?

What’s Active Directory?

Part 2

Seung Joo Baek

Sr. Technical Evangelist

Microsoft Korea

What is Active Directory?

•

Object

•

Attribute

•

Authentication - Kerberos

•

Database (LDAP)

•

Management

•

Since Windows 2000 Server

Overview of AD DS

Physical components Logical components

• Data store

• Domain controllers • Global catalog server • RODC • Partitions • Schema • Domains • Domain trees • Forests • Sites • OUs

What Are AD DS Domains?

•

AD DS requires one or more domain controllers

•

All domain controllers hold a copy of the domain database which is continually synchronized

• The domain is the context within which user, group, and computer accounts are

created

• The domain is a replication boundary

• An administrative center for configuring and managing objects

• Any domain controller can authenticate any logon in the domain

What Are OUs?

Organizational Units

•

Containers that can be used to

group objects within a domain

•

Create OUs to:

•

Delegate administrative

permissions

Distinguished Name (DN)

•

OU=Sales, DC=KOALRA, DC=COM

LDAP

•

Query

•

Active Directory Tools

•

LDP

•

ADSIEDIT.MSC

•

LDAP Query Basic

•

http://technet.microsoft.com/en-us/library/aa996205(v=exchg.65).aspx

•

http://social.technet.microsoft.com/wiki/contents/articles/5392.active -directory-ldap-syntax-filters.aspx

What Is an AD DS Forest?

adatum.com Tree Root Domain Forest Root Domain atl.adatum.com fabrikam.com

Overview of Different AD DS Trust Types

Trust type Transitive? Color

Parent-child Yes Purple

Tree root Yes Black

External (domain or Kerberos realm) No Red

Shortcut No Green

Forest (complete or selective) Yes Blue

CONTOSO (Windows NT 4.0 domain)

Engineering (Kerberos realm)

What Is the AD DS Schema?

The Active Directory schema acts as a blueprint for AD DS by

defining the attributes and object classes such as:

•

Attributes

•

objectSID

•

sAMAccountName

•

location

•

manager

•

department

•

Classes

•

User

•

Group

•

Computer

•

Site

What Is a Domain Controller?

Domain Controllers

•

Servers that host the Active Directory database

(NTDS.DIT) and SYSVOL

•

Kerberos authentication service and KDC services

perform authentication

•

Best practices:

•

Availability: At least two domain controllers in a

domain

What Are AD DS Partitions?

Active Directory Database Configuration Schema <Domain> <Application>

Forest-wide information about the Active Directory structure

Forest-wide definitions and rules for creating and manipulating objects and attributes

Information about domain-specific objects

Domain and Forest Boundaries

AD DS object Boundary type

Domain Domain partition replication

Administrative permissions Group Policy application Auditing

Password and account policies Domain DNS zone replication

Forest Security boundary

Schema partition replication

Configuration partition replication Global catalog replication

What Is the Global Catalog?

Domain B Domain A Configuration Schema Domain A Configuration Schema Domain B Configuration Schema Domain B Configuration Schema

Global catalog:

Hosts a partial attribute set for other domains in the forest Supports queries for objects throughout the forest

The AD DS Logon Process

DC1

SVR1 WKS1

The AD DS logon process:

1.

User Account is authenticated to

DC1

2.

DC1 returns TGT back to client

3.

Client uses TGT to apply for

access to WKS1

4.

DC1 grants access to WKS1

5.

Client uses TGT to apply for

access to SVR1

Kerberos

What Are Operations Masters?

In any multimaster replication topology, some operations must

be single master

Many terms are used for single master operations in

AD DS, including the following:

•

Operations master (or operations master roles)

•

Single master roles

•

FSMOs

Roles

•

Forest:

•

Domain naming master

•

Schema master

•

Domain:

•

RID master

•

Infrastructure master

What’s Active Directory?

Part 4

Seung Joo Baek

Sr. Technical Evangelist

Microsoft Korea

Overview of SRV Resource Records for Domain Controllers

• Domain controllers register SRV records as follows:

• _tcp.adatum.com: All domain controllers in the domain

• _tcp.sitename._sites.adatum.com: All services in a specific site • Clients query DNS to locate services in specific sites

How Client Computers Locate Domain Controllers Within Sites

The process for locating a domain controller occurs as follows: 1. New client queries for all domain controllers in the domain 2. Client attempts LDAP ping to find all domain controllers 3. First domain controller responds

4. Client queries for all domain controllers in the site

5. Client attempts LDAP ping to find all domain controllers in the site 6. Client stores domain controller and site name for further use

7. Domain controller is used for the full logon process including

authentication, building the token, and building the list of GPOs to apply • Domain controller offline? Client queries for domain

controllers in registry stored site

• Client moved to another site? Domain controller refers client to another site

What Is DNS?

DNS can be used to:

•

Resolve host names to IP addresses

•

Locate domain controllers and global catalog servers

•

Resolve IP addresses to host names

What Are Computer Names?

Name

Description

Host name

•

Up to 255 characters long

•

Can contain alphabetic and numeric

characters, periods, and hyphens

•

Part of FQDN

NetBIOS name

•

Represent a single computer or group

of computers

•

15 characters used for the name

•

16th character identifies service

DNS Zones and Records

A DNS zone is a specific portion of DNS namespace that

contains DNS records

Zone types:

•

Forward lookup zone

•

Reverse lookup zone

Resource records in forward lookup zones include:

•

A, MX, SRV, NS, SOA, and CNAME

Resource records in reverse lookup zones include:

How Internet DNS Names Are Resolved

Workstation

207.46.230.219

Local DNS server What is the IP address of

www.microsoft.com? Root DNS server

.com DNS server

Microsoft.com DNS server

How a Client Resolves a Name

4. NetBIOS Name Cache

5. WINS

Server

6. Broadcast

2. DNS

Resolver

Cache /

Hosts file

content

1. Local Host Name

7. Lmhosts File

3. DNS

Server

What Are the Components of a DNS Solution?

DNS Servers on the

Internet

DNS

Servers

DNS

Resolvers

Resource

Record

Root “.”

.com

.edu

Resource

Record

What Are Root Hints?

microsoft

DNS

Servers

DNS

Server

com

Client

Root

Hints

Root (.) Servers

Root hints contain the IP addresses for DNS

What Are DNS Queries?

DNS client

mail1.contoso.com

172.16.64.11

A recursive query is sent to a DNS server and requires a

complete answer

Database Local DNS server

An iterative query directed to a DNS server may be answered with a referral to another DNS server

client

Local DNS server Root hint (.)

.com

Iterative query Ask .com

contoso.com

•

Queries are recursive or iterative

•

DNS clients and DNS servers initiate queries

•

DNS servers are authoritative or nonauthoritative for a

namespace

•

An authoritative DNS server for the namespace will either:

• Return the requested IP address • Return an authoritative “No”

•

A nonauthoritative DNS server for the namespace will

either:

• Check its cache • Use forwarders • Use root hints

What Is Forwarding?

ISP DNS

All other DNS domains

Local DNS

contoso.com DNS

Conditional forwarding forwards requests using a domain

name condition

Client computer

A forwarder is a DNS server designated to resolve external or offsite DNS domain names

contoso.com Root hint (.) .com Iterative query Ask .com Forwarder

Where’s ServerA? ServerA is at 131.107.0.44 Where’s ServerA? ServerA is at 131.107.0.44

How DNS Server Caching Works

Client1

Client2

ServerA

DNS server cache

Host name IP address TTL ServerA.contoso.com 131.107.0.44 28 seconds

What’s Active Directory?

Part 5

Seung Joo Baek

Sr. Technical Evangelist

Microsoft Korea

Installing a Domain Controller on a Server Core of Windows Server

2012 R2

Use the Install-ADDSDomainController Powershell Cmdlet to

perform installation. The following is an example of text

Install-WindowsFeature -Name AD-Domain-Services

InstallADDSForest DomainName Koalra.Com InstallDNS CreateDNSDelegation -DomainMode Win2012R2 -ForestMode Win2012R2 -DatabasePath

"%SYSTEMROOT%\NTDS" -SysvolPath "%SYSTEMROOT%\SYSVOL" -LogPath "%SYSTEMROOT%\NTDS"

Installing a Additional Domain Controller on a Server Core of

Windows Server 2012 R2

Use the Install-ADDSDomainController Powershell Cmdlet to

perform installation. The following is an example of text

Install-WindowsFeature -Name AD-Domain-Services

$Credential = Get-Credential #도메인 관리자 계정/암호

$Password = ConvertTo-SecureString –AsPlainText –String Passw0rd –Force Install-ADDSDomainController –DomainName Koalra.Com –DatabasePath ＂

%SYSTEMROOT%\NTDS＂ –LogPath ＂%SYSTEMROOT%\NTDS＂ –SysvolPath ＂ %SYSTEMROOT%\SYSVOL＂ –InstallDns –ReplicationSourceDC “DC01.Koalra.Com” – SafeModeAdministratorPassword $Password –NoRebootOnCompletion –Credential $Credential

Group Types

•

Distribution groups

•

Used only with email applications

•

Not security-enabled (no SID);

cannot be given permissions

•

Security groups

•

Security principal with an SID;

can be given permissions

Group Scopes

U User

C Computer GG Global Group

DLG Domain Local Group UG Universal Group

Group scope Members from _{same domain}

Members from domain in same forest Members from trusted external domain Can be assigned permissions to resources Local U, C, GG, DLG, UG and local users

U, C,

GG, UG U, C,GG On the local computer only Domain Local U, C,

GG, DLG, UG U, C,GG, UG U, C,GG Anywhere in the domain Universal U, C,

GG, UG U, C,GG, UG N/A Anywhere in the forest Global U, C,

GG N/A N/A Anywhere in the domain or a

Implementing Group Management

ACL_Sales_Read (Domain Local Group)

Domain local groups

Which provide management such as resource access,

DL which are Sales (Global Group) Auditors (Global Group)

In a multi domain forest, it is IGUDLA, where U is Universal

Assigned access to a resource

A

Identities

Users or computers, I

which are members of

Global groups

Which collect members based on members’ roles, G

Dynamic Group Membership?

•

Kerberos – FAST(Flexible Authentication Secure Tunnel)

•

Windows Server 2012 Dynamic Access Control

What’s Active Directory?

Part 6

Seung Joo Baek

Sr. Technical Evangelist

Microsoft Korea

Computer Accounts and Secure Channels

•

Computers have accounts

•

sAMAccountName and password

•

Used to create a secure channel between the computer and a

domain controller

•

Scenarios where a secure channel can be broken

•

Reinstalling a computer, even with same name, generates a new

SID and password

•

Restoring a computer from an old backup, or rolling back a

computer to an old snapshot

Default Container

•

Computers, Users Container

•

Redirusr

Bulk Export/Import

•

Ldifde

Characteristics of AD DS Replication

• Multimaster replication ensures: • Accuracy (integrity)

• Consistency (convergence)

• Performance (keeping replication traffic to a reasonable level) • Key characteristics of Active Directory replication include:

• Multimaster replication • Pull replication

• Store-and-forward • Partitions

• Automatic generation of an efficient, robust replication topology • Attribute-level replication

• Distinct control of intrasite and intersite replication • Collision detection and remediation

How Replication Topology Is Generated

Domain Controllers in the Same Domain

Global catalog replication

A1 A2 A3 A4 B1 B2 B3 Domain Controllers in Another Domain

Global Catalog Server

Global Catalog Server

Global Catalog Server

Schema and configuration topology

Domain A topology Domain B topology

What Are AD DS Sites?

•

Sites identify network locations with fast, reliable network connections

•

Sites are associated with subnet objects

•

Sites are used to manage:

•

Replication: domain controllers separated by slow, expensive links

•

Service localization:

•

Domain controller authentication (LDAP and Kerberos)

•

Active Directory–aware (site aware)

services or applications

Site

A2

IP Subnets

Why Implement Additional Sites?

•

Create additional sites when:

•

A part of the network is separated by a slow link

•

A part of the network has enough users to warrant hosting domain

controllers or other services in that location

•

You want to control service localization

•

You want to control replication between

domain controllers

Site A2 Site A2 A3 A1 A1 IP Subnets IP Subnets

How Replication Works Between Sites

Replication within sites:

• Assumes fast, inexpensive and

highly reliable network links

• Does not compress traffic • Uses a change notification

mechanism

Replication between sites:

• Assumes higher cost, limited

bandwidth and unreliable network links

• Ability to compress replication

between sites

• Occurs on a configured schedule • Can be configured for immediate

and urgent replications

A2 Replication IP Subnets A1 Replication IP Subnets A1 A2 Replication IP Subnets B1 B2 Replication

Read-Only Domain Controller (RODC)

•

Windows Server 2008~

•

Low Physical Security Level

•

Cache

•

Password

•

Attribute

What’s Active Directory?

Part 7

Seung Joo Baek

Sr. Technical Evangelist

Microsoft Korea

Benefits of Using Group Policy

•

Group Policies are very powerful administrative tools.

You can use them to enforce various types of settings

to a large number of users and computers

•

Typically, GPOs are used in the following way:

•

Apply security settings

•

Manage desktop application settings

•

Deploy application software

•

Manage folder redirection

•

Configure network settings

Components of Group Policy

A Group Policy setting defines a specific configuration change to apply to a user or a computer

A GPO is a collection of Group Policy settings that can be applied to a user, computer, or both, to enact changes

What Are Multiple Local GPOs?

Multiple Local Group Policies:

There are three layers of user configurations:

•

User-specific

•

Have a single computer configuration that applies to the

computer for all users who log on

•

Have layers of user settings that can apply only to individual

users, not to groups

•

Non-Administrator

•

Administrator

GPO Storage

GPO

• Contains Group Policy settings • Stores content in two locations

Group Policy Container

• Stored in AD DS

• Provides version information Group Policy Template

• Stored in shared SYSVOL folder • Provides Group Policy settings

What Are Group Policy Preferences?

Using Group Policy preferences, you can:

• Configure, deploy, and manage operating system and application settings

that are not manageable by using Group Policy

• Apply Group Policy preferences: • Once, or refreshed at intervals • Targeted to users or computers

Group Policy preferences:

• Expand the range of configurable settings within a GPO • Are not enforced

• Are not removed when the GPO no longer applies

• Do not disable the interface of the setting; users can change

the setting

Comparing Group Policy Preferences and GPO Settings

Group Policy Settings Group Policy Preferences

Strictly enforce policy settings by writing the settings to areas of the registry that standard users cannot modify

Are written to the normal locations in the registry that the application or operating system feature uses to store the setting Typically disable the user interface for

settings that Group Policy is managing

Do not cause the application or

operating system feature to disable the user interface for the settings they

configure Refresh policy settings at a regular

interval

Refresh preferences by using the same interval as Group Policy settings by default

GPO Links

GPOs can be linked to:

GPOs cannot be linked to:

•

Sites

•

Domains

•

OUs

•

Users

•

Groups

•

Computers

•

System containers

To deliver settings to an object, a GPO must be linked to a

container

Disabling a link removes the settings from the container

Deleting a link does not delete the GPO

Applying GPOs

•

When you apply GPOs, remember that:

•

Computer settings apply at startup

•

User settings apply at logon

•

Polices refresh at regular, configurable intervals

•

Security settings refresh at least every 16 hours

•

Policies refresh manually by using:

•

The Gpupdate command

•

The Windows PowerShell cmdlet Invoke-Gpupdate

•

With the new Remote Policy Refresh feature in Windows

Group Policy Processing Order

Site Domain GPO2 GPO3 GPO4 OU OU OU GPO5 GPO1 Local Group

Group Policy Processing Order

What Are the Default GPOs?

There are two default GPOs:

•

Default Domain Policy

•

Used to define the account policies for the domain:

•

Password

•

Account lockout

•

Kerberos protocol

•

Default Domain Controllers Policy

•

Used to define auditing policies

GPO Security Filtering

Apply Group Policy permissions

•

GPO has an ACL (Delegation tab, click Advanced)

•

Default: Authenticated Users have Allow Apply Group Policy

Scope only to users in selected global or universal groups

•

Remove Authenticated Users

•

Add appropriate global or universal groups (GPOs do not scope

to domain local groups)

Scope to users except for those in selected groups

•

On the Delegation tab, click Advanced

•

Add appropriate global groups

Resultant Set of Policy

Site Domain OU OU OU GPO2 GPO3 GPO4 GPO5 GPO1 Local Group

Windows Server 2012 provides the following tools for performing RSoP analysis:

The Group Policy Results Wizard The Group Policy Modeling Wizard

What Are Administrative Templates?

Administrative Templates sections for computers are:

• Control Panel

• Network

• Printers

• System

• Windows components

Administrative Templates sections for users are:

• Control panel

• Desktop

• Network

• Start menu and taskbar

• System

• Windows components

Administrative Templates provide you with the ability to control both the environment of the operating system and user experience

How Administrative Templates Work

•

Policy settings in the

Administrative

Templates node make

changes to the registry

•

The Prevent access to

registry editing tools

setting changes the

value of the

HKLM\Software

\Classes\Regedit