• No results found

WINDOWS 2000 Training Division, NIC

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "WINDOWS 2000 Training Division, NIC"

Copied!
54
0
0

Loading.... (view fulltext now)

Download now ( 54 Page )

Full text

(1)

TE

WINDOWS 2000

WINDOWS 2000

Active Directory Services

Active Directory Services

Training Division, NIC

(2)

Active Directory

(3)

Active Directory Service

• Directory Service Functionality

• Centrally Organizing, Managing and controlling Resources.

• Users can access any resource without knowing where the resource is or how it is physically connected .

• Centralized Management Of Resouces

• Easy for Network Administrators to manage the resources in their network.

(4)

What Is Active Directory?

Windows Users

Windows Users

?

?Account infoAccount info

? ?PrivilegesPrivileges ? ?ProfilesProfiles ? ?PolicyPolicy Windows Clients Windows Clients ? ?Mgmt profileMgmt profile ?

?Network infoNetwork info

? ?PolicyPolicy Windows Servers Windows Servers ? ?Mgmt profileMgmt profile ?

?Network infoNetwork info

?

?ServicesServices

?

?PrintersPrinters

?

?File sharesFile shares

? ?PolicyPolicy Active Active Directory Directory Management Management

Focal Point For:

Focal Point For:

?

? Users and resourcesUsers and resources

? ? SecuritySecurity ? ? Delegation Delegation ? ? PolicyPolicy Applications Applications ?

?Server configServer config

?

?Single SignSingle Sign--OnOn

?

?AppApp--specificspecific

directory info directory info ? ?PolicyPolicy Internet Internet Firewall Services Firewall Services ? ?ConfigurationConfiguration ?

?Security PolicySecurity Policy

? ?VPN policyVPN policy Network Devices Network Devices ? ?ConfigurationConfiguration ?

?QoS policyQoS policy

?

?Security policySecurity policy

Other Other Directories Directories ? ?EE--CommerceCommerce Other NOS Other NOS ?

?User registryUser registry

?

?SecuritySecurity

?

?PolicyPolicy

E

E--Mail ServersMail Servers

?

?Mailbox infoMailbox info

?

?Address bookAddress book

Active Directory

(5)

Technologies supported By Active

Directory

• DHCP • TCP/IP • DNS • SNTP • LDAP • LDIF • Kerberos • X.509

• Dynamic Host control Protocol • Network Transports

• Domain name system

• Simple Network Time Protocol • Lightweight Directory Access

Protocol

(6)

Windows 2000 Operating System Object Manager Security Reference Monitor Process Manager Local Procedure Call Facility Virtual Memory Manager Window Manager Graphic Device Drivers Device Drivers System Services Microkernel

Hardware Abstraction Layer (HAL)

Hardware I/O Manager Windows NT interfaces Applications Windows NT4 Directory Cache Manager

Windows NT Operating system

File System Drivers

(7)

Windows 2000 Operating System Object Manager Security Reference Monitor Process Manager Local Procedure Call Facility Virtual Memory Manager Window Manager Graphic Device Drivers Device Drivers System Services Microkernel

Hardware Abstraction Layer (HAL)

Hardware I/O Manager ADSI Applications Active Directory Services Cache Manager

Windows 2000 Operating System

Network Drivers

(8)
(9)

Features of Active Directory

• Information security • Policy-based administration • Extensibility • Scalability • Replication of information • Integration with DNS

(10)

Active Directory - Schema

• Schema is a specific definition of permitted

object types and attributes

e.g. User Account Object

Name Attributes

Title Attributes

Manager Attributes

(11)
(12)

Active Directory - Domain

Domain

– Is a security boundary in the Active Directory – OU properties are inherited within a domain

only - not across domains

– Provides a replication boundary

(13)

Domain Modes

• Mixed Mode

– Support for Pre Windows 2000

• Native Mode

(14)

Organizational units

? Organizational units are Active Directory containers into which you can place users, groups, computers, and other organizational units.

?An organizational unit cannot contain objects from other domains.

?An organizational unit is the smallest scope or unit to which you can assign Group Policy settings or delegate administrative

authority.

?Can be nested to arbitrary depth that represent the hierarchical, logical structures within the organization. This enables to manage the configuration and use of accounts and resources based on

organizational model.

(15)
(16)

Administration

Finance P&V

Training Hardware

Purchase Stores

(17)

Active Directory – Tree

Domain Tree

– One or more domains having relationship with a root domain

– Domains within a domain tree form a contiguous namespace

– Schema is common among all domains in a Domain Tree

– Security handled by Kerberos trust

(18)
(19)

Why more than one domain?

• Different business locations

– Multinational companies

– Regional headquarters

• WAN links

– Slow links between major sites – Reduce replication traffic

• Security boundaries

– Subsidiaries

(20)

How Many Domains?

widgets.org

na.widgets.org euro.widgets.org asia.widgets.org

hq.na.widgets.org

west central east uk german france japan australia new zealand

we.na.widgets.org ce.na.widgets.org ea.na.widgets.org uk.euro.widgets.org ge.euro.widgets.org fr.euro.widgets.org jp.asia.widgets.org oz.asia.widgets.org nz.asia.widgets.org

(21)

When To Consider A Forest

• If the company is diverse, a forest may be

the best model

• Creating a forest creates:

– Separate administrative domain trees – Multiple namespaces

– More administrators

(22)
(23)

Active Directory – Forest

• Forest

– A set of Domain Trees

• Common Schema and Configuration • Global Catalog

• Secured by Kerberos Trust

• Name space is non-contiguous, i.edel.com, msn.com

– Useful for companies with subsidiaries that

(24)

Forest

• Allows companies different branches to easily work together without changing names

• Allows for easy merger or sale (post Windows 2000…)

• Avoids political problems with administrators

Assam.nic.in

(25)

Trust Relationships

(26)

One-Way, Non-Transitive Trust

Domain A Domain B Domain C

(27)

Two-Way, Transitive Trust

Domain A Domain B Domain C

Trusts Trusts

(28)
(29)

Searching Forests and Trees

– Users can search for all information within the Domain Tree using a Global Catalog and the Start / Search Feature

– Allows for fast searching of key information in AD, without querying all of the domains

(30)

Active Directory - GC

Global Catalog

– Contains a Partial replica of the information contained within each of the domains

– Network administrator designate which

Attributes get placed in the Global Catalog and which are indexed

(31)

Global Catalog

Domain Tree A DC designated as a GC has

knowledge of its own domain information (which is complete)

(32)

Schema

Global Catalog

User Account ? Name ? Title ? Manager ? Office Location ? Phone ? Division

(33)

Physical Components of Active

Directory

• Sites

(34)

Sites

(35)

Active Directory - Site

• Site

– Relates directly to the network topology and network connectivity

– Defined as an area of “good” network connectivity

– Primarily affects

• User logon

• Replication traffic

(36)
(37)
(38)
(39)

Replication Protocols

• Replication Within a Site Uses RPC over

IP

• Replication Between Sites Can Use:

– RPC over IP

(40)

Knowledge Consistency Checker configures replication connections

Site Object Server

Object A

Server Object B

(41)

Reviewing design Strategy

?Start with one domain

(42)

Rules for parts

• Every Site, Domain, Organizational Unit

(SDOU) must have a reason for it’s

existence

– Who is creating the DS object? – What is its purpose?

– Who will administer this object? – How long will the object live?

(43)

• Introduction to Group Policy

(44)

Group Policy

• Group Policy settings define the various

components of the user's desktop environment

that a system administrator needs to manage.

To create a specific desktop configuration for a

particular group of users, you use the Group

Policy snap-in. Group Policy settings are

associated with selected Active Directory

(45)

Group Policy Settings

• IntelliMirror Technology • Specify Settings for:

?Registry-based policy settings

?Options for local, domain, and network security ?Central management of software installation

(46)

User and computer policy

User policy (settings located under the User

Configuration node in Group Policy) is obtained

when a user logs on.

Computer policy settings are located under

Computer Configuration, and are obtained

(47)

Local Group Policy Site Group Policy Domain Group Policy

(48)

Inheritance of Group Policy in Active

Directory

? All domains in the site receive the same security settings ? Accounting receives their own Start menu and the

Domain wallpaper

? OU1 and OU2 receive unique logon scripts

Site

OU1

? Configure Start menu ? Set wallpaper

? Enforce secure logon ? Add registry keys

? Configure Start menu ? Specify logon script ? Specify logon script

Domain

(49)

Creating a Group Policy Object

dsa - [Active Directory Users and Computers]

Console Window Help Active View Active Directory Samerica1.contoso. Builtin Computers Domain Controllers Ohio Users Accounting Delegate control…

Add members to a Group Move...

Find…. New All Tasks View

New Window from Here Delete Rename Refresh Export List… Properties Help Properties Accounting Properties

General Managed By Group Policy

Current Group Policy Object Links for Account

Group Policy Object Links No Override Disabled

Group Policy Objects higher in the list have the highest priority. This list obtained from the primary domain controller.

New Add... Edit Options... Delete... Properties

Block Policy inheritance

(50)

Managing Group Policy Object

Permissions

• Modifying Permissions

• Filtering the Scope of a GPO

• Delegating Control with Permissions General Links Security

Add.. Remove Name

User 1 ([email protected] Phone Support (SAMER\Phone Support)

Permissions Allow Deny

Full Control Read

Write

Create All Child Objects Delete All Child Objects Apply Group Policy

?

(51)

Examining the Group Policy Interface

Group Policy

Action View

Tree Name

(52)

Configuring the Registry by Using

Group Policy

Enable disk quotas Properties

Policy Explain

Enable disk quotas Not Configured Enabled

Disabled

Enable disk quotas for all NTFS volumes on the computer.

Ignore Do not implement, remove Implement Administrative Templates Windows Components System Logon Disk Quotas DNS Client Group Policy

Enable disk quotas Enforce disk quota limit

Default quota limit and warning level Log event when quota limit exceeded

(53)

Setting a Target Location

Desktop Properties

Target Settings

You can specify the location of the Desktop folder No administrative policy specified

Setting:

OK Cancel Apply The Group Policy Object will have no effect on the

location of this folder.

Desktop Properties

Target Settings

You can specify the location of the Desktop folder Basic – Redirect everyone’s folder to the dame loc Setting:

OK Cancel Apply This folder will be redirected to the specified location. An example target path is: \\server\share\%username%.

Target folder location

\\london\desktops\%username%

Browse

Desktop Properties

Target Settings

You can specify the location of the Desktop folder Advanced – Specify locations for various user grou Setting:

OK Cancel Apply This folder will be redirected to different locations based on the security group membership of the users.

An example target path is \\server\share\%username% Security Group Membership

Group

CONTOSO\acct \\london\acct\%username% CONTOSO\sales \\london\sales\%username%

Path

(54)

Configuring Folder Redirection

Settings

Desktop Properties ?

Setting Target

Specify the redirection settings for Desktop.

Move the contents of Desktop to the new location. Grant the user exclusive rights to Desktop.

Leave the folder in the new location when policy is removed. Redirect the folder back to the local user profile location when policy is removed.

References

Download now ( PDF - 54 Page - 555.49 KB )

Related documents

Ethical Hacking and Information Security. Foundation of Information Security. Detailed Module. Duration. Lecture with Hands On Session: 90 Hours

• Security Architecture in Windows o Local Security Authority o Security Account Manager o Security Reference Monitor. User

FORBIDDEN - Ethical Hacking Workshop Duration

 Security Architecture in Windows o Local Security Authority o Security Account Manager o Security Reference Monitor User Account Security.  Password Attacks

Comparison: Microsoft Logical Disk Manager (LDM) and VERITAS Volume Manager

features in LDM for Windows 2000, VERITAS Volume Manager for Windows 2000 adds advanced storage management capabilities to the Windows 2000 environment.. CENTRALIZED

VERITAS Volume Manager for Windows 2000

This paper also discusses the two key advantages of using VERITAS Volume Manager in a MSCS environment: the ability to use dynamic disks with clustering and the ability to

Appendix C I/O Hardware Installation

A simpler (but less reliable) way to confirm installation is to open Control Panel | System | Device Manager in Windows 95/98 or Control Panel | System | Hardware | Device Manager

PCI Express V.92 56K Internal Data/Fax Modem

In the new Computer Management window, select Device Manager from the left window panel (For Windows 8, open the Control Panel and select

2 Port Industrial PCIe RS232 Serial Card with Power Output and ESD Protection

In the new Computer Management window, select Device Manager from the left window panel (For Windows 8, open the Control Panel and select..

Install USB drivers on Windows

If you need to update the USB drivers on your operating system or the initial installation failed, please open up the Device Manager of Windows Vista.. Therefore press the