-
7/31/2019 Ad Week 01
1/35
Welcome
Thank you for taking our training.
Collection 6425: Configure Windows 2008 Active DirectoryDomain
Services
Course 6710 6719 at
http://itacademy.microsoftelearning.com
PowerPoint Presentations at:carrieclasses.wikispaces.com
Course Companion CD Student.zip file
Exam numberand title
Core exam for the followingtrack
70-640: TS: Windows Server2008 Active Directory,Configuring
Microsoft Certified SystemsEngineer: Windows Server
2008Application PlatformConfiguration
-
7/31/2019 Ad Week 01
2/35
-
7/31/2019 Ad Week 01
3/35
Week 1 Introduction and Install Active Directory
Introducing Active Directory, Identity, and Access
Active Directory Components and Concepts
Extend IDA with Active Directory Services
-
7/31/2019 Ad Week 01
4/35
Information Protection in a Nutshell
Its all about connecting users to the information they
require
SECURELY!
IDA: Identity and Access
AAA: Authentication, Authorization, Accounting
CIA: Confidentiality, Integrity, Availability ( &
Authenticity)
-
7/31/2019 Ad Week 01
5/35
Identity and Access (IDA)
Identity: user account
Saved in an identity store(directory database)
Security principal
Represented uniquely bythe security identifier (SID)
Resource: Shared Folder
Secured with a securitydescriptor
Discretionary access control
list (DACL or ACL) Access control entries (ACEsor
permissions)
-
7/31/2019 Ad Week 01
6/35
Authentication and Authorization
The system creates asecurity token thatrepresents the user
withthe users SID and allrelated group SIDs
A resources is securedwith an access controllist (ACL):
permissionsthat pair a SID with alevel of access
The users securitytoken is compared withthe ACL of the
resourceto authorize a requestedlevel of access
A user presentscredentials that areauthenticated using
theinformation stored withthe usersidentity
-
7/31/2019 Ad Week 01
7/35
Authentication
Two types of authentication
Local (interactive) Logon authentication for logon to thelocal
computer
Remote (network) logon authentication for access toresources on
anothercomputer
Authentication is the process that verifies a users identity
Credentials: at least two components required
Username Secret, for example, password
-
7/31/2019 Ad Week 01
8/35
Access Tokens
Users Access Token
Other accessinformation
Privileges
(user rights)
Member GroupSIDs
User SID
-
7/31/2019 Ad Week 01
9/35
Security Descriptors, ACLs and ACEs
Security Descriptor
Discretionary ACL(DACL or ACL)
ACETrustee (SID)Access Mask
ACETrustee (SID)
Access Mask
System ACL(SACL)
-
7/31/2019 Ad Week 01
10/35
Authorization
Authorization is the process that determines whether to grantor
deny a user a requested level of access to a resource
Three components required for authorization
Resource Security Token Access Request
Security Descriptor
Discretionary ACL(DACL or ACL)
ACETrustee (SID)Access Mask
ACETrustee (SID)Access Mask
System ACL(SACL)
Users Access Token
Other accessinformation
List of userrights
Group SID
User SID
System finds firstACE in the ACL thatallows or denies
therequested accesslevel for any SID inthe users token
-
7/31/2019 Ad Week 01
11/35
Stand-alone (Workgroup) Authentication
The identity store is the security accounts manager
(SAM)database on the Windows system
No shared identity store
Multiple user accounts
Management of passwords is challenging
-
7/31/2019 Ad Week 01
12/35
Active Directory Domains: Trusted Identity Store
Centralized identity storetrusted by all domain
members
Centralized authenticationservice
Hosted by a server
performing the role of anActive Directory DomainServices (AD DS)
domaincontroller
-
7/31/2019 Ad Week 01
13/35
Active Directory, Identity, and Access
An IDA infrastructure should
Store information about users, groups, computers and
otheridentities
Authenticate an identity
Kerberos authentication used in Active Directory providessingle
sign-on. Users are authenticated only once.
Control access
Provide an audit trail
Active Directory services
Active Directory Domain Services (AD DS) Active Directory
Lightweight Directory Services (AD LDS)
Active Directory Certificate Services (AD CS)
Active Directory Rights Management Services (AD RMS)
Active Directory Federation Services (AD FS)
h
-
7/31/2019 Ad Week 01
14/35
Active Directory As a Database
Active Directory is a database
Each record is an object
Users, groups, computers,
Each field is an attribute
Logon name, SID, password, description, membership,
Identities (security principals or accounts)
Services: Kerberos, DNS, replication, etc.
Accessing the database
Windows tools, user interfaces, and components
APIs (.NET, VBScript, Windows PowerShell)
Lightweight Directory Access Protocol (LDAP)
AD DS is, in the end, a databaseand the services that support or
use that database
SchemaDemo
-
7/31/2019 Ad Week 01
15/35
Organizational Units
Containers
Users
Computers
Organizational Units
Containers that also support
the management andconfiguration of objectsusing Group Policy
Create OUs to
Delegate administrative
permissions
Apply Group Policy
-
7/31/2019 Ad Week 01
16/35
Policy-Based Management
Active Directory provides a single point of management
forsecurity and configuration through policies
Group Policy
Domain password and lockout policy
Audit policy
Configuration Applied to users or computers by scoping a GPO
containing
configuration settings
Fine-grained password and lockout policies
-
7/31/2019 Ad Week 01
17/35
The Active Directory Data Store
%systemroot%\NTDS\ntds.dit
Logical partitions
Domain naming context
Schema
Configuration
Global catalog (aka Partial Attribute Set)
DNS (application partitions)
SYSVOL
%systemroot%\SYSVOL Logon scripts
Policies
PAS
DNS
*Domain*
Configuration
Schema
NTDS.DIT
-
7/31/2019 Ad Week 01
18/35
Domain Controllers
Servers that perform the AD DS role
Host the Active Directory database (NTDS.DIT) and SYSVOL
Replicated between domain controllers
Kerberos Key Distribution Center (KDC) service:
authentication
Other Active Directory services
Best practices
Available: at least two in a domain
Secure: Server Core, Read-only domain controllers (RODCs)
-
7/31/2019 Ad Week 01
19/35
Domain
Made up of one or more DCs
All DCs replicate the Domain namingcontext (Domain NC)
The domain is the context within whichUsers, Groups, Computers,
and so on arecreated
Replication boundary
Trusted identity source: Any DC canauthenticate any logon in the
domain
The domain is the maximum scope
(boundary) for certain administrativepolicies
Password
Lockout
-
7/31/2019 Ad Week 01
20/35
Replication
Multimaster replication
Objects and attributes in the database Contents of SYSVOL are
replicated
Several components work to create an efficient and
robustreplication topology and to replicate granular changes to
AD
The Configuration partition of the database storesinformation
about sites, network topology, and replication
DC2
DC1 DC3
-
7/31/2019 Ad Week 01
21/35
Sites
An Active Directory object that represents a well-connected
portion of your network
Associated with subnet objects representing IP subnets
Intrasite vs. intersite replication
Replication within a site occurs very quickly (15-45
seconds)
Replication between sites can be managed
Service localization
Log on to a DC in your site
Site A
Site B
-
7/31/2019 Ad Week 01
22/35
Tree
One or more domains in a single instance of AD DS thatshare
contiguous DNS namespace
proseware.com
treyresearch.net
antarctica.treyresearch.net
-
7/31/2019 Ad Week 01
23/35
Forest
A collection of one or more Active Directory domain trees
First domain is the forest root domain
Single configuration and schemareplicated to allDCs in the
forest
A security and replication boundary
-
7/31/2019 Ad Week 01
24/35
The Global Catalog
Partial Attribute Set orGlobal Catalog
Contains every object inevery domain in theforest
Contains only selected
attributes
A type of index
Can be searched fromany domain
Very important formany applications
PASDomain A
PAS
Domain B
-
7/31/2019 Ad Week 01
25/35
Functional Level
Domain functional levels
Forest functional levels
New functionality requires that domain controllers arerunning a
particular version of Windows
Windows 2000
Windows Server 2003
Windows Server 2008
Cannot raise functional levelwhile DCs are running previous
versions of Windows Cannot add DCs runningprevious versions of
Windowsafter raising functional level
-
7/31/2019 Ad Week 01
26/35
DNS and Application Partitions
Active Directory and DNS are tightlyintegrated
One-to-one relationship between the DNSdomain name and the
logical domain unitof Active Directory
Complete reliance on DNS to locate
computers and services in the domain
A domain controller acting as a DNSserver can store the zone
data in ActiveDirectory itselfin an application partition
PAS
DNS
Domain
Configuration
Schema
-
7/31/2019 Ad Week 01
27/35
Trust Relationships
Extends concept of trusted identity store to another domain
Trusting domain (with the resource) trusts the identity storeand
authentication services of the trusted domain
A trusted user can authenticate to, and be given access
toresources in, the trusting domain
Within a forest, each domain trusts all other domains Trust
relationships can be established with external domains
Trusted domain Trusting domain
Active Directory Lightweight Directory Services
-
7/31/2019 Ad Week 01
28/35
Active Directory Lightweight Directory Services(AD LDS)
Standalone version of Active Directory
Used to support applications that require a directory store
Allow customization without impact to production Active
Directory
Characteristics
A subset of AD DS functionality, sharing the same code Schema,
Configuration, and Application partitions
Replication
Not dependent upon AD DS
Can use AD DS to authenticate Windows security principals
Can run multiple instances on a single server
-
7/31/2019 Ad Week 01
29/35
Active Directory Certificate Services (AD CS)
Extends the concept of trust
A certificate from a trusted certificate authority (CA) proves
identity Trust can be extended beyond the boundaries of your
enterprise, as
long as clients trust the CA of the certificates you present
Creates a public key infrastructure (PKI)
Confidentiality, Integrity, Authenticity, Non-Repudiation
Manyuses
Internal-only or external
Secure Web sites (SSL)
VPN
Wireless authentication and encryption
Smart card authentication
Integration with AD DS powerful, but not required
Active Directory Rights Management Services
-
7/31/2019 Ad Week 01
30/35
Active Directory Rights Management Services(AD RMS)
Ensures the integrity of information
Traditional model: ACL defines access. No restriction on use. AD
RMS: Ensures access is limited and defines use.
Examples
Limit access to specified individuals
View e-mail but do not forward or print
View and print document but cannot change or e-mail
Requires
AD RMS IIS, Database (SQL Server or Windows Internal
Database)
AD DS
RMS enabled applications including Microsoft Officeapplications,
Internet Explorer
-
7/31/2019 Ad Week 01
31/35
Active Directory Federation Services (AD FS)
Extends the authority of AD DS to authenticate users
Traditional trust Two Windows domains
Numerous TCP ports open in firewalls
Everyone from trusted domain is trusted
AD FS uses Web services technologies to implement trust
One AD DS/LDS directory; other side can be Active Directory
orother platforms
Port 443: transactions are secure and encrypted
Rules specifying which users from trusted domain are trusted
Uses
Business-to-business: partnership
Single sign-on
-
7/31/2019 Ad Week 01
32/35
Install Windows Server 2008
Boot with installation media (DVD)
Follow prompts and select the operating system to install
Server Manager and Role-Based Configuration of
-
7/31/2019 Ad Week 01
33/35
Server Manager and Role Based Configuration ofWindows Server
2008
Windows Server 2008 has minimal footprint
Functionality is added as roles or features
Server Manager: role and feature configuration along withthe
common administrative snap-ins for the server
-
7/31/2019 Ad Week 01
34/35
Install and Configure a Domain Controller
Install the Active Directory Domain Services roleusing the
Server Manager1
Choose the deployment configuration3
Select the additional domain controller features4
Run the Active Directory Domain ServicesInstallation Wizard
2
Select the location for the database, log files, andSYSVOL
folder5
Configure the Directory Services RestoreMode Administrator
Password6
Prepare to Create a New Forest with
-
7/31/2019 Ad Week 01
35/35
Prepare to Create a New Forest withWindows Server 2008
Domains DNS name (e.g. contoso.com)
Domains NetBIOS name (e.g. contoso)
Whether the new forest will need to support DCs runningprevious
versions of Windows (affects choice of functional level)
Details about how DNS will be implemented to support AD DS
Default: Creating domain controller adds DNS Server role as
well
IP configuration for the DC
IPv4 and, optionally, IPv6
Username and password of an account in the serversAdministrators
group. Account must have a password.
Location for data store (ntds.dit) and SYSVOL
Default: %systemroot% (c:\windows)
