Chapter1 - Active Directory
Chapter1 - Active Directory
COURSE
NETWORK TECHNOLOGY
Workgroup Workgroup
❖A peer-to-peer group of computers that share resources. ❖As small as two computers, or it can scale up to be quite large.
Workgroup Workgroup
7/70
/50 8/70
/50
Workgroup Domain
❖
9/70
/50 10/70
/50
Domain Domain
❖Once authenticated, the user receives a token that follows them ❖The software components that provide for this functionality are
around the network and automatically proves their identity to other collectively called Active Directory.
domain-joined servers and clients. ➢Contains many other services and components to centrally manage
➢Allow to access resources that specifically grant them access. and secure the computers that are joined to the domain.
o Group Policy can also be used to configure operating system
settings, security, and software for different computers and users
❖Only need to authenticate once to a domain controller to prove their
in the domain.
identity to all domain members, this feature is called single sign-on.
o Active directory Certificate Services can be used to
automate the configuration of deployment of encryption
certificates to domain computers and users.
11/70
/50 12/70
/50
Domain
❖Advantage ❖Disadvantage
➢Centralization ➢Complex
➢Manageability ➢High level of administration
➢Scalability ➢High-performance devices (server, router,
➢Tight Security switch) 2 Active Directory
➢Single-Sign-On ➢Expensive
13/70
/50 14
❖A directory service that stores user/computer accounts, applications, ❖AD DS consists NTDS.DIT (New Technology Directory Service.
printers, shared folders, group policies, and all kinds of records. Directory Information Tree) file (%SystemRoot%\NTDS\Ntds.dit)
➢The main Active Directory service is Active Directory Domain
Services (AD DS). ➢is a database that stores all Active Directory data, including
o Provide centralized authentication and support single sign-on to information about user objects, groups and group membership as
computers on the network that are joined to an Active Directory well as password hashes for domain users.
domain.
15/70
/50 16/70
/50
Domain
❖Logically separated into the following partitions: ❖Each domain controller (DC) has
➢Schema Partition: contains the definition of objects and rules for a centralized copy of the Active
their manipulation and creation in an active directory. Directory database.
➢Configuration Partition: contains the forest-wide active directory
topology including DCs and sites and service.
➢Domain Partition: contain information about users, groups,
computers and OUs.
➢Application Partition: stores information about applications in an
AD. Suppose AD integrated DNS zones information is stored in this
partition.
17/70
/50 18
❖After the domain controller validates your user name and password, it ❖When you access a shared resource on another computer in domain,
issues your computer an encrypted token that lists: your token is automatically sent with the request to the target computer
➢Domain user account. to verify your identity.
➢Tokens can only be decrypted by computers that participate in the the permissions assigned to your domain user and group accounts
same Active Directory domain. listed within the resource’s ACL (Access Control List).
19/70
/50 20/70
/50
Active Directory
21/70
/50 22
❖An object is the most basic component ❖Leaf objects: represent a user account, group account, computer
in the logical structure of AD defined account, network resources published to the Active Directory database
within the Active Directory database. e.g., (shared printers).
❖Domain (or Active Directory domain): used to group and manage ❖Organizational Unit (OU): contains leaf objects or other OUs (called
objects. child OUs).
➢Creates a management boundary.
➢Given a unique DNS domain name, such as domain1.com. ❖The OU structure you create
➢Each domain object often represents a separate business unit within for each domain should
your organization and can contain OUs as well as leaf objects. reflect the structure
within that particular
business unit.
25/70
/50 26/70
/50
❖Site: represent physical locations within your organization. ❖Domains are often used to represent a single business unit within an
➢Each physical location contains a LAN that communicates with other organization. => suitable for smaller organizations.
physical locations over an WAN/Internet connection.
➢By representing each physical location with a site object, you can ❖Larger organizations often have multiple business units, and each
create settings that control the replication of Active Directory business unit may need to access resources within other business units.
information across the Internet.
❖Active Directory forests are used to provide for multiple domains within
the same organization.
27/70
/50 28/70
/50
Active Directory Forests and Trees Active Directory Forests and Trees
❖Forest: a collection of Active Directory domains that share a schema ❖When install the first domain controller within the first domain in an
and some security principals. organization, a forest is created with the same name as this first
➢The vast majority of organizations in the world have a single forest domain.
domain. ❖The first domain in a forest is called the forest root domain.
➢Multiple domain forests are generally used by larger geographically
dispersed organizations. domain2.com
domain1.com
(forest root domain)
hcm.domain2.com hn.domain2.com
domain1.com FOREST
29/70
/50 30/70
/50
❖To simplify administration and the user experience, you can set up
trusts between domains so that an authenticated user in one domain
can access resources in another domain without having to authenticate
with a separate set of credentials.
33 34/70
/50
35/70
/50 36
Active Directory Trusts Active Directory Trusts
❖AD DS Trust Types: ❖AD DS Trust Types:
➢Tree-Root Trust: trust relationship automatically created and ➢Shortcut trust: are used on Windows Server domains that reside in
establishes a relationship between the forest root domain and a new the same forest, where there is a need to optimize the authentication
tree. process. This may happen when a user on Domain A frequently
➢They can be transitive and created as two-way trusts. needs to authenticate to Domain B.
➢They can be transitive and created as one-way or two-way trusts.
Tree Root trust Tree Root trust
domain1.com domain1.com
domain2.com Shortcut trust domain2.com
Parent-Child Parent-Child Parent-Child
trust trust Parent-Child trust
trust
External trust
a.domain1.com b.domain1.com a.domain1.com b.domain1.com
c.domain2.com c.domain2.com a.domain3.net b.domain3.net
External trust
a.domain1.com b.domain1.com
c.domain2.com a.domain3.net b.domain3.net
➢For example, when assigning permissions ➢Require when logging into a computer as a user account within
on a resource, the interface you use will another domain in the forest.
allow you to select users and groups o GC is contacted to verify the UPN and locate a domain controller
within other domains in the forest from a that can complete the authentication process.
list that is provided by the GC.
45 46/70
/50
6 Authentication Process
▪ Group memberships.
▪ Interactive logon information.
▪ Message integrity.
➢Replaced by Kerberos.
49 50/70
/50
➢High security.
51/70
/50 52/70
/50
Authentication Process KDC: Key Distribution Center
TGT: Ticket-Granting Ticket Authentication Process KDC: Key Distribution Center
TGT: Ticket-Granting Ticket
10. The client presents the session ticket to the server 11. The LSA compares the SIDs in the access token with the groups that are
where the resource resides. assigned permissions in the resources discretionary access control list (DACL). If
they match, the user is granted access to the resource.
The Local Security Authority (LSA) on the server uses
the information in the session ticket to create an access
token.
57/70
/50 58/70
/50
Multi-master model
❖Active Directory is the central repository in which all objects in an
enterprise and their respective attributes are stored.
➢It's a hierarchical, multi-master enabled database that can store
millions of objects.
➢Changes to the database can be processed at any domain controller
Flexible Single Master Operations (DC) in the enterprise.
7 (FSMO) Role
➢Possibility of conflicts that can potentially
lead to problems once the data is replicated
to the rest of the enterprise.
59 60/70
/50
FSMO Role Single-master model
❖Need a conflict resolution algorithm. ❖To prevent conflicting updates, the Active Directory performs updates to
➢Which changes were written last, which is the last writer wins. certain objects in a single-master fashion.
➢The changes in all other DCs are discarded. ➢Only one DC in the entire directory is allowed to process updates.
❖Active Directory includes multiple roles, and the ability to transfer roles
➢However, there are times when conflicts are too difficult to resolve
to any DC in the enterprise.
using the last writer wins approach.
➢In such cases, it's best to prevent the conflict from occurring rather
than to try to resolve it after the fact. ❖Five (Flexible Single Master Operations) FSMO roles:
63/70
/50 64/70
/50
FSMO Roles FSMO Roles
❖Domain naming ❖Relative Identifier (RID) master
➢Manages the forest-wide domain name space of the directory. ➢Allocating Relative Identifier (RID) pools to DCs in its domain.
➢Only on DC which is Domain naming holder can add or remove o When a DC creates a security principal object (e.g., user or
domains and application partitions from the directory. group), it attaches a unique SID to the object, consists of:
▪ A domain SID that's the same
➢There's only one Domain for all SIDs created in a domain.
naming per forest.
▪ A RID that's unique for each
o Default: Primary DC (PDC) security principal SID created in
of the Forest Root Domain. a domain.
➢Review the Distinguished Name (DN): ➢Review the Distinguished Name (DN):
o Unique in the Forest. ▪ An RDN is an attribute with an
associated value in the form
o Includes enough information to locate a replica of the partition attribute=value.
that holds the object.