Windows Active Directory. DNS, Kerberos and LDAP T h u r s d a y, J a n u a r y 2 7, 2011 INLS 576 Spring 2011

Windows Active

Directory

D N S , K e r b e r o s a n d L D A P T h u r s d a y , J a n u a r y 2 7 ,

2 0 1 1

DNS? LDAP?

Kerberos?

Active Directory relies of DNS to register and locate services

Active Directory uses LDAP to store information about users, computers, and services

Active Directory uses Kerberos for authentication Example of how a corp can leverage open

History of Active

Directory?

Grew out of the LDAP service in MS Exchange used to track users' data and the NT server

administration system

Integration of Dynamic DNS replaces some of the badness of NetBios (by matching to IP)

Provides a unified system for accessing data

about users, computers, and services in a domain, and controlling access to data and

AD Hierarchies--the

woods

The top level defined as a forest

Trees are domain

controllers within the forest

Objects in AD can be kept in a single

AD Hierarchies--the

woods

AD Hierarchies--the

woods

...or with a federated forest

AD Objects

...and objects can be

pretty much anywhere in the woods....

A Matter of Trusts

Transitive Trusts are bidirectional relationships established between two domains (if they are in different forests, it's called a cross forest trust) If A trusts B, and B trusts C, A trusts C

Trusts can also be unidirectional

Trust follow network paths, and can take time, so sometimes you need to employ a redundant

Digression

Authorization is separate from Authentication Authentication is "who are you?"

Authorization is "what can he/she/it do?"

For example, Cerberus (the ftp server) can use either the OS or it’s own password file for

authentication, but maintain control of authorization in either case

AD Authentication

AD stores user and other object IDs and passwords

Built around kerberos V services, so kerberized applications can also use it

Kerberos is a key based system and can

authenticate clients and servers as well as users, we'll talk about this in the linux sections....

AD Authorization

Objects and their permission settings are stored in AD in the LDAP service

When a user or any other object requests access to another object, AD checks the access control lists for the object to see if permission should be

Example: Group

Policies

Controls objects within a domain, all computers and users

Allows an admin to affect all systems with one setting

Relatively easy to administer through the Group Policy Management Console (not included with 2k3 Server out of box, you have to download it!)

Some GP Settings

Security Setting (local, domain, and network settings)

Software installation options (who can install what where)

Scripts for startup, login, and logoff Software (who can run what)

Policy Inheritance

Group policies are applied from the domain level (for users, at login, for machines, on reboot or at the defined refresh interval)

But since a forrest contains a hierarchy of trees, inheritance applies

Setting that are neither enabled or disabled don't override the local settings in the registry of

AD and LDAP

AD stores all information about computers, users, services, etc. in an LDAP system

AD also maintains access control in that same system, and schemas to control new objects

So systems and users in a domain are making LDAP queries when someone tried to access

AD and DNS

Active Directory uses a relatively new concept of dynamic dns entries

In 2003 Domain, a computer can insert service records into the AD DNS server on the fly

This allows other machines to find that service even if it moves

As a consequence, AD must have a compatible DNS server available at all times

Installation of

Active Directory

Determine your IP Domain settings (more on this later!)

Use Manage your server to add the Active Directory Role

Install DNS server as part of this if you don't have and AD DNS server already

Important

Settings:DC Type

Are you starting a new domain, or

adding a domain controller to and existing domain?

Important Settings:

Are you users all win2k or higher, or do you have win98, winME, or other versions in the domain?

AD is bound to DNS

What is an IP domain? Give some examples... What is an IP subdomain?

Under NT, a windows domain had no necessary relation to an IP domain

Under Active Directory, the AD domain must map to an IP domain

Types of DNS

servers

For small networks, only forward is recommended But I think you want forward and reverse Keep in mind whose

network is whose, your server can claim

authority, but other servers won't

Define the IP domain

This can be tricky...

If you use a machine on campus, you can make it the only member of it's zone

Here,

Monkey-cs.cs.unc.edu is being declared as a new zone

Dynamic Updates?

Allow secure dynamic updates

No reason not to, it's safe enough for most

situations

If you're paranoid, don't allow updates, but you'll be doing a lot of typing

DNS Forwarders

Using forwarders allow you to set up a DNS

server that you can use without harming the rest of the network...

Type of DNS

Records

Name to IP (A records)

IP to Name (reverse, or PTR) Name to Alias (CNAME)

DNS Servers (NS) Mail Servers (MX)

A, PTR, and CNAME

These are the meat and potatoes of DNS

PTR used mainly for verification of identity

(since the route to get the map is different from A records)

CNAMEs used for major services, so you can swap servers out transparently...

The SOA Record

Contents

The version number of the zone (incremented as changes are made)

The ip number of the primary DNS server for the zone

Contact data on the zone administrator (so

others can used programs like whois to find them if needed!)

Authority?

A DNS server considers itself an authority for the zone (usually an entire ip domain) it controls

It is truly an authority if the DNS servers at the next level up delegate authority (and queries) to it

There are non-authoritative DNS servers that cache DNS data, or have copies of other zone's data (a stub zone server)

Service Records

Allows clients to query DNS to find major services

Best example if MX records for email--outbound mail servers (SMTP) don't have to know who the email servers are for other sites, they can ask a

domain's DNS server for those data Older systems are moving to this

Example: AFS

Andrew File System, a world wide filesystem Used to rely on a local text file, CellServDB A master version was kept in AFS space at Transarc (but few updated regularly)

Now, OpenAFS and Arla

>isis.unc.edu # University of North Carolina Project Isis 152.2.1.5 #db0.isis.unc.edu

152.2.1.6 #db1.isis.unc.edu 152.2.1.7 #db2.isis.unc.edu

>cs.unc.edu # University of North Carolina at Chapel Hill 152.2.128.4 #toucan.cs.unc.edu

152.2.128.7 #cvs.cs.unc.edu 152.2.128.3 #quail.cs.unc.edu

>grand.central.org #GCO Public CellServDB 08 Dec 2003 18.7.14.88 #grand-opening.mit.edu

128.2.191.224 #penn.central.org

>wu-wien.ac.at #University of Economics, Vienna, Austria 137.208.3.3 #afsdb1.wu-wien.ac.at

137.208.7.4 #afsdb2.wu-wien.ac.at 137.208.7.7 #afsdb3.wu-wien.ac.at >hephy.at #hephy-vienna

193.170.243.10 #mowgli.oeaw.ac.at 193.170.243.12 #baloo.oeaw.ac.at 193.170.243.14 #akela.oeaw.ac.at

DNS bound to AD

Windows DNS server under AD allow dynamic updates

Clients and Servers in the domain can update

records in DNS as they move from ip segment to ip segment

Discussion

W h y w o u l d M i c r o s o f t b i n d D N S t o A c t i v e

LDAP

Lightweight Directory Access Protocol

Derived from the X.500 system (a 'heavy'

directory protocol developed by ISO and ITU) X.500 designed to service very large orgs

LDAP is commonly used to provided information about people in organizations to email and

LDAP Data

Structures

Usually, LDAP has a backend database (on

unix, often Berkeley DB), but can use a flat file LDAP uses keys to denote fields, such as ou

(organizational unit), name, mail

Schemas are used to control data (think XML, the basic approach is the same), for example

LDAP Service

Runs on port 389

Authentication is accomplished during a "bind" operation, wherein the client connects to the server Anonymous bind is most common with email

clients

Authenticated binds used by MS Windows Authentication can be by key or password

So why not just use

a DATABASE?

Databases are heavy in terms of the knowledge needed to access data, you have to know where to look, and there's no unified query language

LDAP's schemas define in general where one should look for particular data

Queries in LDAP are simple, based on a "root"

Learning LDAP

There are docs on the openldap web site that can help

If you know a bit about php, you can write a simple query in that, eg:

http://queequeg.cs.unc.edu/dev/php/ldap/ test3_super.php

Also, the phpldapadmin software can be a big help, since it will let you use a web interface to look at ldap data

Some examples of

LDAP

addressbook.cs.unc.edu

LDAP running to provide email addresses root for email addresses is

ou=affiliates,dc=cs,dc=unc,dc=edu Contains name, mail object

So a query could be "find 'hays' in the name at the root and give me associated mail data"

Some examples of

LDAP

ldap.unc.edu

Head of the campus ldap system

Back end served by multiple tables with data

from hr/payroll and registrar, and other sources Interesting from a historical and political

Basic Structure

Multiple Sources

Acts as an authoritative source for other backend systems

Uses multiple ldap slave systems to distribute load

Active Directory's

LDAP

Administrator is

CN=Administrator,CN=Users,DC=tallman,DC=cs,DC=unc, DC=edu

You can access the ldap service directly over port 389 (if you open the firewall)

Anonymous bind is not supported out of box, so you do have to authenticate (which means you'd