Upload
aref12345
View
223
Download
0
Embed Size (px)
Citation preview
7/31/2019 Ad Week 01
1/35
Welcome
Thank you for taking our training.
Collection 6425: Configure Windows 2008 Active DirectoryDomain Services
Course 6710 6719 at
http://itacademy.microsoftelearning.com
PowerPoint Presentations at:carrieclasses.wikispaces.com
Course Companion CD Student.zip file
Exam numberand title
Core exam for the followingtrack
70-640: TS: Windows Server2008 Active Directory,Configuring
Microsoft Certified SystemsEngineer: Windows Server 2008Application PlatformConfiguration
7/31/2019 Ad Week 01
2/35
7/31/2019 Ad Week 01
3/35
Week 1 Introduction and Install Active Directory
Introducing Active Directory, Identity, and Access
Active Directory Components and Concepts
Extend IDA with Active Directory Services
7/31/2019 Ad Week 01
4/35
Information Protection in a Nutshell
Its all about connecting users to the information they require
SECURELY!
IDA: Identity and Access
AAA: Authentication, Authorization, Accounting
CIA: Confidentiality, Integrity, Availability ( & Authenticity)
7/31/2019 Ad Week 01
5/35
Identity and Access (IDA)
Identity: user account
Saved in an identity store(directory database)
Security principal
Represented uniquely bythe security identifier (SID)
Resource: Shared Folder
Secured with a securitydescriptor
Discretionary access control
list (DACL or ACL) Access control entries (ACEsor permissions)
7/31/2019 Ad Week 01
6/35
Authentication and Authorization
The system creates asecurity token thatrepresents the user withthe users SID and allrelated group SIDs
A resources is securedwith an access controllist (ACL): permissionsthat pair a SID with alevel of access
The users securitytoken is compared withthe ACL of the resourceto authorize a requestedlevel of access
A user presentscredentials that areauthenticated using theinformation stored withthe usersidentity
7/31/2019 Ad Week 01
7/35
Authentication
Two types of authentication
Local (interactive) Logon authentication for logon to thelocal computer
Remote (network) logon authentication for access toresources on anothercomputer
Authentication is the process that verifies a users identity
Credentials: at least two components required
Username Secret, for example, password
7/31/2019 Ad Week 01
8/35
Access Tokens
Users Access Token
Other accessinformation
Privileges
(user rights)
Member GroupSIDs
User SID
7/31/2019 Ad Week 01
9/35
Security Descriptors, ACLs and ACEs
Security Descriptor
Discretionary ACL(DACL or ACL)
ACETrustee (SID)Access Mask
ACETrustee (SID)
Access Mask
System ACL(SACL)
7/31/2019 Ad Week 01
10/35
Authorization
Authorization is the process that determines whether to grantor deny a user a requested level of access to a resource
Three components required for authorization
Resource Security Token Access Request
Security Descriptor
Discretionary ACL(DACL or ACL)
ACETrustee (SID)Access Mask
ACETrustee (SID)Access Mask
System ACL(SACL)
Users Access Token
Other accessinformation
List of userrights
Group SID
User SID
System finds firstACE in the ACL thatallows or denies therequested accesslevel for any SID inthe users token
7/31/2019 Ad Week 01
11/35
Stand-alone (Workgroup) Authentication
The identity store is the security accounts manager (SAM)database on the Windows system
No shared identity store
Multiple user accounts
Management of passwords is challenging
7/31/2019 Ad Week 01
12/35
Active Directory Domains: Trusted Identity Store
Centralized identity storetrusted by all domain
members
Centralized authenticationservice
Hosted by a server
performing the role of anActive Directory DomainServices (AD DS) domaincontroller
7/31/2019 Ad Week 01
13/35
Active Directory, Identity, and Access
An IDA infrastructure should
Store information about users, groups, computers and otheridentities
Authenticate an identity
Kerberos authentication used in Active Directory providessingle sign-on. Users are authenticated only once.
Control access
Provide an audit trail
Active Directory services
Active Directory Domain Services (AD DS) Active Directory Lightweight Directory Services (AD LDS)
Active Directory Certificate Services (AD CS)
Active Directory Rights Management Services (AD RMS)
Active Directory Federation Services (AD FS)
h
7/31/2019 Ad Week 01
14/35
Active Directory As a Database
Active Directory is a database
Each record is an object
Users, groups, computers,
Each field is an attribute
Logon name, SID, password, description, membership,
Identities (security principals or accounts)
Services: Kerberos, DNS, replication, etc.
Accessing the database
Windows tools, user interfaces, and components
APIs (.NET, VBScript, Windows PowerShell)
Lightweight Directory Access Protocol (LDAP)
AD DS is, in the end, a databaseand the services that support or use that database
SchemaDemo
7/31/2019 Ad Week 01
15/35
Organizational Units
Containers
Users
Computers
Organizational Units
Containers that also support
the management andconfiguration of objectsusing Group Policy
Create OUs to
Delegate administrative
permissions
Apply Group Policy
7/31/2019 Ad Week 01
16/35
Policy-Based Management
Active Directory provides a single point of management forsecurity and configuration through policies
Group Policy
Domain password and lockout policy
Audit policy
Configuration Applied to users or computers by scoping a GPO containing
configuration settings
Fine-grained password and lockout policies
7/31/2019 Ad Week 01
17/35
The Active Directory Data Store
%systemroot%\NTDS\ntds.dit
Logical partitions
Domain naming context
Schema
Configuration
Global catalog (aka Partial Attribute Set)
DNS (application partitions)
SYSVOL
%systemroot%\SYSVOL Logon scripts
Policies
PAS
DNS
*Domain*
Configuration
Schema
NTDS.DIT
7/31/2019 Ad Week 01
18/35
Domain Controllers
Servers that perform the AD DS role
Host the Active Directory database (NTDS.DIT) and SYSVOL
Replicated between domain controllers
Kerberos Key Distribution Center (KDC) service: authentication
Other Active Directory services
Best practices
Available: at least two in a domain
Secure: Server Core, Read-only domain controllers (RODCs)
7/31/2019 Ad Week 01
19/35
Domain
Made up of one or more DCs
All DCs replicate the Domain namingcontext (Domain NC)
The domain is the context within whichUsers, Groups, Computers, and so on arecreated
Replication boundary
Trusted identity source: Any DC canauthenticate any logon in the domain
The domain is the maximum scope
(boundary) for certain administrativepolicies
Password
Lockout
7/31/2019 Ad Week 01
20/35
Replication
Multimaster replication
Objects and attributes in the database Contents of SYSVOL are replicated
Several components work to create an efficient and robustreplication topology and to replicate granular changes to AD
The Configuration partition of the database storesinformation about sites, network topology, and replication
DC2
DC1 DC3
7/31/2019 Ad Week 01
21/35
Sites
An Active Directory object that represents a well-connected portion of your network
Associated with subnet objects representing IP subnets
Intrasite vs. intersite replication
Replication within a site occurs very quickly (15-45 seconds)
Replication between sites can be managed
Service localization
Log on to a DC in your site
Site A
Site B
7/31/2019 Ad Week 01
22/35
Tree
One or more domains in a single instance of AD DS thatshare contiguous DNS namespace
proseware.com
treyresearch.net
antarctica.treyresearch.net
7/31/2019 Ad Week 01
23/35
Forest
A collection of one or more Active Directory domain trees
First domain is the forest root domain
Single configuration and schemareplicated to allDCs in the forest
A security and replication boundary
7/31/2019 Ad Week 01
24/35
The Global Catalog
Partial Attribute Set orGlobal Catalog
Contains every object inevery domain in theforest
Contains only selected
attributes
A type of index
Can be searched fromany domain
Very important formany applications
PASDomain A
PAS
Domain B
7/31/2019 Ad Week 01
25/35
Functional Level
Domain functional levels
Forest functional levels
New functionality requires that domain controllers arerunning a particular version of Windows
Windows 2000
Windows Server 2003
Windows Server 2008
Cannot raise functional levelwhile DCs are running previous
versions of Windows Cannot add DCs runningprevious versions of Windowsafter raising functional level
7/31/2019 Ad Week 01
26/35
DNS and Application Partitions
Active Directory and DNS are tightlyintegrated
One-to-one relationship between the DNSdomain name and the logical domain unitof Active Directory
Complete reliance on DNS to locate
computers and services in the domain
A domain controller acting as a DNSserver can store the zone data in ActiveDirectory itselfin an application partition
PAS
DNS
Domain
Configuration
Schema
7/31/2019 Ad Week 01
27/35
Trust Relationships
Extends concept of trusted identity store to another domain
Trusting domain (with the resource) trusts the identity storeand authentication services of the trusted domain
A trusted user can authenticate to, and be given access toresources in, the trusting domain
Within a forest, each domain trusts all other domains Trust relationships can be established with external domains
Trusted domain Trusting domain
Active Directory Lightweight Directory Services
7/31/2019 Ad Week 01
28/35
Active Directory Lightweight Directory Services(AD LDS)
Standalone version of Active Directory
Used to support applications that require a directory store Allow customization without impact to production Active
Directory
Characteristics
A subset of AD DS functionality, sharing the same code Schema, Configuration, and Application partitions
Replication
Not dependent upon AD DS
Can use AD DS to authenticate Windows security principals
Can run multiple instances on a single server
7/31/2019 Ad Week 01
29/35
Active Directory Certificate Services (AD CS)
Extends the concept of trust
A certificate from a trusted certificate authority (CA) proves identity Trust can be extended beyond the boundaries of your enterprise, as
long as clients trust the CA of the certificates you present
Creates a public key infrastructure (PKI)
Confidentiality, Integrity, Authenticity, Non-Repudiation
Manyuses
Internal-only or external
Secure Web sites (SSL)
VPN
Wireless authentication and encryption
Smart card authentication
Integration with AD DS powerful, but not required
Active Directory Rights Management Services
7/31/2019 Ad Week 01
30/35
Active Directory Rights Management Services(AD RMS)
Ensures the integrity of information
Traditional model: ACL defines access. No restriction on use. AD RMS: Ensures access is limited and defines use.
Examples
Limit access to specified individuals
View e-mail but do not forward or print
View and print document but cannot change or e-mail
Requires
AD RMS IIS, Database (SQL Server or Windows Internal Database)
AD DS
RMS enabled applications including Microsoft Officeapplications, Internet Explorer
7/31/2019 Ad Week 01
31/35
Active Directory Federation Services (AD FS)
Extends the authority of AD DS to authenticate users
Traditional trust Two Windows domains
Numerous TCP ports open in firewalls
Everyone from trusted domain is trusted
AD FS uses Web services technologies to implement trust
One AD DS/LDS directory; other side can be Active Directory orother platforms
Port 443: transactions are secure and encrypted
Rules specifying which users from trusted domain are trusted
Uses
Business-to-business: partnership
Single sign-on
7/31/2019 Ad Week 01
32/35
Install Windows Server 2008
Boot with installation media (DVD)
Follow prompts and select the operating system to install
Server Manager and Role-Based Configuration of
7/31/2019 Ad Week 01
33/35
Server Manager and Role Based Configuration ofWindows Server 2008
Windows Server 2008 has minimal footprint
Functionality is added as roles or features
Server Manager: role and feature configuration along withthe common administrative snap-ins for the server
7/31/2019 Ad Week 01
34/35
Install and Configure a Domain Controller
Install the Active Directory Domain Services roleusing the Server Manager1
Choose the deployment configuration3
Select the additional domain controller features4
Run the Active Directory Domain ServicesInstallation Wizard
2
Select the location for the database, log files, andSYSVOL folder5
Configure the Directory Services RestoreMode Administrator Password6
Prepare to Create a New Forest with
7/31/2019 Ad Week 01
35/35
Prepare to Create a New Forest withWindows Server 2008
Domains DNS name (e.g. contoso.com)
Domains NetBIOS name (e.g. contoso)
Whether the new forest will need to support DCs runningprevious versions of Windows (affects choice of functional level)
Details about how DNS will be implemented to support AD DS
Default: Creating domain controller adds DNS Server role as well
IP configuration for the DC
IPv4 and, optionally, IPv6
Username and password of an account in the serversAdministrators group. Account must have a password.
Location for data store (ntds.dit) and SYSVOL
Default: %systemroot% (c:\windows)