Presentation on theme: "Mark McCoy MCSE, CNE, CISSP"— Presentation transcript:
1Mark McCoy MCSE, CNE, CISSP Windows 2008 Active Directory Configuration – Week 3 of 6 Microsoft Test:Mark McCoyMCSE, CNE, CISSP
2Week 3 Agenda Review Week 2: Week 3 Discussion: Questions & Answers Ch 3 - Planning and Installation of Active DirectoryCh 4 - Installing and Managing Trees and ForestsWeek 3 Discussion:Ch 5 – Configuring Sites and ReplicationCh 6 - Configuring Active Directory Server RolesQuestions & AnswersWeek 3 Homework Assignment
3Chapter 1 – Overview of Active Directory The Windows NT 4 Domain Construct (the “Roots” of The Active Directory Tree and Forest)The Benefits of Active DirectoryThe Logical Structure of Active DirectoryUnderstanding Active Directory ObjectsWindows 2008 Server RolesIdentity and Access (IDA) in Active DirectoryExam Essentials
4Comparison of Domain Functional Level Capabilities Domain Functional FeatureWindows 2000 NativeWindows Server 2003Windows Server 2008Fine-grained password policies.DisabledEnabledRead-only domain controller (RODC).Last interactive logon information.Advanced Encryption Services (AES 128 and 256) support for the Kerberos protocol.Distributed File System replication support for Sysvol.Ability to Redirect the Users and Computers containers.Ability to rename domain controllers.Logon Time stamp updates.Kerberos KDC key version numbers.InetOrgPerson objects can have passwords.Converts NT groups to domain local and global groups.SID history.Group nesting.Universal groups.
5NTDSUTIL Command Options ntdsutil Domain Management CommandPurposeHelp or?Displays information about the commands that are available within the Domain Management menu of the ntdsutil command.Connection or ConnectionsAllows you to connect to a specific domain controller. This will set the context for further operations that are performed on specific domain controllers.Create NC PartitionDistinguishedName DNSNameCreates a new application directory partition.Delete NC PartitionDistinguishedNameRemoves an application data partition.List NC Information PartitionDistinguishedNameShows information about the specified application data partition.List NC Replicas PartitionDistinguishedNameReturns information about all replicas for the specific application data partition.Precreate PartitionDistinguishedName ServerDNSNamePrecreates cross-reference application data partition objects. This allows the specified DNS server to host a copy of the application data partition.Remove NC Replica PartitionDistinguishedName DCDNSNameRemoves a replica from the specified domain controller.Select Operation TargetSelects the naming context that will be used for other operations.Set NC Reference Domain PartitionDistinguisedName DomainDistinguishedNameSpecifies the reference domain for an application data partition.Set NC Replicate NotificationDelay PartitionDistinguishedName FirstDCNotificationDelay OtherDCNotificationDelayDefines settings for how often replication will occur for the specified application data partition.
6Chapter 3 – Exam Essentials Know the prerequisites for promoting a server to a domain controller. You should understand the tasks that you must complete before you attempt to upgrade a server to a domain controller. Also, you should have a good idea of the information you need in order to complete the domain controller promotion process.Understand the steps of the Active Directory Installation Wizard (DCPROMO). When you run the Active Directory Installation Wizard, you'll be presented with many different choices. You should understand the effects of the various options provided in each step of the wizard.Be familiar with the tools that you will use to administer Active Directory. Three main administrative tools are installed when you promote a Windows Server 2008 to a domain controller. Be sure you know which tools to use for which types of tasks.Understand the purpose of application data partitions. The idea behind application data partitions is that, since you already have a directory service that can replicate all kinds of security information, you can also use it to keep track of application data. The main benefit of storing application information in Active Directory is that you can take advantage of its storage mechanism and replication topology. Application-related information stored on domain controllers benefits from having fault-tolerance features and availability.
9Chapter 4 Exam Essentials Understand the reasons for using multiple domains There are seven primary reasons for using multiple domains: they provide additional scalability, they reduce replication traffic, they help with political and organizational issues, they provide many levels of hierarchy, they allow for decentralized administration, legality, and they allow for multiple DNS or domain names.Understand the drawbacks of using multiple domains With multiple domains, maintaining administrative consistency is more difficult. The number of administrative units multiplies as well, which makes it difficult to keep track of network resources. Finally, it is much more difficult to rearrange the domain topology within an Active Directory environment than it is to simply reorganize OUs.Know how to create a domain tree To create a new domain tree, you need to promote a Windows Server 2008 computer to a domain controller, select the option that makes this domain controller the first machine in a new domain, and make that domain the first domain of a new tree. The result is a new domain tree.Know how to join a domain tree to a forest Creating a new tree to form or add to a forest is as simple as promoting a server to a domain controller for a new domain that does not share a namespace with an existing Active Directory domain. In order to add a domain to an existing forest, you must already have at least one other domain. This domain serves as the root domain for the entire forest.Understand how to manage single-master operations Single-master operations must be performed on specially designated machines within the Active Directory forest. There are five main single-master functions: two that apply to an entire Active Directory forest (Schema Master and Domain Naming Master) and three that apply to each domain (RID Master, PDC Emulator Master, and Infrastructure Master).Understand how to manage trusts When configuring trusts, you'll need to consider two main characteristics: transitivity and direction. The simplest way to understand transitive relationships is through an example like the following: If Domain A trusts Domain B and Domain B trusts Domain C, then Domain A implicitly trusts Domain C. Trusts can be configured as intransitive so that this type of behavior does not occur. In one-way relationships, the trusting domain allows resources to be shared with the trusted domain. In two-way relationships, both domains trust each other equally. Special trusts include external trusts, realm trusts, cross-forest trusts, and shortcut trusts.Understand how to manage UPN suffixes By default, the name of the domain in which the user is created determines the UPN suffix. By adding additional UPN suffixes to the forest, you can easily choose more manageable suffixes when it comes time to create new users.Understand how to manage Global Catalog (GC) servers You can configure any number of domain controllers to host a copy of the GC. The GC contains all of the schema information and a subset of the attributes for all domains within the Active Directory environment. Servers that contain a copy of the GC are known as GC servers. Whenever a user executes a query that requires information from multiple domains, they need only contact the nearest GC server for this information. Similarly, when users must authenticate across domains, they will not have to wait for a response from a domain controller that may be located across the world. The end result is increased overall performance of Active Directory queries.Understanding Universal Group Membership Caching You can enable a domain controller as a universal group membership caching server. The universal group membership caching machine will then send a request for the logon authentication of a user to the GC server. The GC will then send the information back to the universal group membership caching server to be cached locally for 8 hours (by default). The user can then authenticate without the need to contact the GC again.
10Chapter 5 - Configuring Sites and Replication Chapter 5 Exam ObjectivesOverview of Network PlanningOverview of Active Directory Replication and SitesImplementing Sites and SubnetsConfiguring ReplicationMonitoring and Troubleshooting Active Directory ReplicationExam Essentials
11Chapter 5 Exam Objectives Configuring the Active Directory InfrastructureConfigure sites. May include but is not limited to: create Active Directory subnets; configure site links; configure site link costing; configure sites infrastructureConfigure Active Directory replication. May include but is not limited to: Distributed File System; one-way replication; Bridgehead server; replication scheduling; configure replication protocols; force intersite replication
12Overview of Network Planning Three Types of “Networks”LAN:Well-Connected/ReliableFast Link Speeds (10M – Gigabit)WAN:Somewhat “unreliable”Slower Link speeds (56K – 1.5M)InternetNetwork ConstraintsBandwidthCost
13Overview of AD Replication and Sites Active Directory Database is copied, in a “Multi-Master” fashion, from “One” to “All” Domain Controllers“Sites” represent the Physical Structure of the OrganizationReplication “Building Blocks”SiteSubnetSite LinksBridgehead Server
14Replication Building Blocks SitePhysical Location within the companyContains Domain Controller (s) that must replicate with each other, within a site and between sitesCan contain a single Domain or Multiple DomainsSubnetThe IP Subnet that defines the Site from a Routing PerspectiveSite LinkThe Physical Connectivity from one site to another within the companyThe Site Link will be given a relative cost, which will be assigned a lower value for faster linksLink transport protocol can be via RPC over IP or SMTPBridgehead ServerServer within a site that is “Speaks for the Site” when replicating AD information to another siteDC’s within a site replicate with their Bridgehead Server and the Bridgehead Server replicates AD data to other sites, conserving bandwidth
15Implementing Sites and Subnets A Site in Active Directory, represents a physical location with a companyCBSHOME Real Estate Sites may be as follows:Agent ServicesWest Dodge Sales OfficeNorthwest Sales OfficeDavenport SalesEtcEach site is associated with an IP SubnetCBSHOME Subnets would be as follows:Agent Services: /24West Dodge Sales Office: /24Northwest Sales Office: /24Davenport Sales Office: /24Each site can contain one or more DomainsCBSHOME Sites contain one DomainTwo or more Domains can be co-located within a single siteAt least one Domain Controller/Global Catalog Server should be placed in each site to provide better Authentication and Resource Location response times.Lets’ create a few Sites and Subnets using AD Sites and Services Snap-in….
16Configuring Replication Replication Comes in Two FlavorsIntra-Site (DC’s within a site Replicate AD Data with one Another)Normally uses RPC over IP due to link being “well-connected and reliable”Inter-Site (DC’s from One Site Replicate AD Data with DC’s in another Site)Normally uses SMTP due to link being somewhat unreliableCan also use RPC over IP is link is reliableSite Link properties (which link Sites and their IP Subnets) are used to control replication time and frequencies between sites (which are assumed to be WAN links that are “slow” and somewhat unreliable)A Bridgehead Server can be defined in a site to handle the Inter-Site replication to cut down on some of the Inter-Site replication traffic.Lets’ configure a few Site Links and maybe a bridgehead server…
17Monitoring and Troubleshooting AD Replication Monitoring ReplicationSystem MonitorEvent Viewer (available within Server manager)Troubleshooting ReplicationVerify Network ConnectivityVerify Firewall and Router ConfigurationVerifying That Information is SynchronizedVerifying the Replication Topology
18Chapter 5 Exam Essentials Understand the purpose of Active Directory replication. Replication is used to keep domain controllers synchronized and is important in Active Directory environments of all sizes. Replication is the process by which changes to the Active Directory database are transferred between domain controllers.Understand the concept of sites, site boundaries, and subnets. Subnets define physical portions of your network environment. Sites are defined as collections of well-connected IP subnets. Site boundaries are defined by the subnet or subnets that you include in your site configuration.Understand the differences between intrasite and intersite replication. Intrasite replication is designed to synchronize Active Directory information to machines that are located in the same site. Intersite replication is used to synchronize information for domain controllers that are located in different sites.Understand the purpose of bridgehead servers. Bridgehead servers are designed to accept traffic between two remote sites and to then forward this information to the appropriate servers. One way to efficiently synchronize data between sites that are connected with slow connections is to use a bridgehead server.Implement site links, site link bridges, and connection objects. You can use all three of these object types to finely control the behavior of Active Directory replication and to manage replication traffic. Site links are created to define the types of connections that are available between the components of a site. Site links can reflect a relative cost for a network connection and can reflect the bandwidth that is available for communications. You can use site link bridges to connect site links together so that the relationship can be transitive. Connection objects provide you with a way to set up special types of replication schedules such as immediate replication on demand or specifying a custom schedule for certain servers.Configure replication schedules and site link costs. You can create multiple site links between sites and you can assign site links a cost value based on the type of connection. The systems administrator determines the cost value, and the relative costs of site links are then used to determine the optimal path for replication. The lower the cost, the more likely the link is to be used for replication. Once you've determined how and through which connections replication will take place, it's time to determine when information should be replicated. Replication requires network resources and occupies bandwidth. Therefore, you need to balance the need for consistent directory information with the need to conserve bandwidth.Determine where to place domain controllers and Global Catalog servers based on a set of requirements. Where you place domain controllers and Global Catalog servers can positively affect the performance of Active Directory operations. However, to optimize performance, you need to know where the best places are to put these servers in a network environment that consists of multiple sites.Monitor and troubleshoot replication. The Windows Server 2008 System Monitor administrative tool is designed so that you can monitor many performance statistics associated with using Active Directory. In addition to this monitoring, you should always verify basic network connectivity and router and firewall connections, as well as examine the event logs.
19Chapter 6 - Configuring Active Directory Server Roles Understanding Server ManagerConfiguring Active Directory Certificate ServicesUnderstanding Active Directory Domain ServicesActive Directory Federation ServicesActive Directory Lightweight Directory ServicesActive Directory Rights Management ServicesExam Essentials
20Chapter 6 Exam Objectives Configuring Additional Active Directory Server RolesConfigure Active Directory Lightweight Directory Service (AD LDS). May include but is not limited to: migration to AD LDS; configure data within AD LDS; configure an authentication server; server core; Windows Server 2008 Hyper-VConfigure Active Directory Rights Management Service (AD RMS). May include but is not limited to: certificate request and installation; self-enrollments; delegation; Active Directory Metadirectory Services (AD MDS); Windows Server virtualizationConfigure the read-only domain controller (RODC). May include but is not limited to: unidirectional replication; Administrator role separation; read-only DNS; BitLocker; credential caching; password replication; syskey; Windows Server virtualizationConfigure Active Directory Federation Services (AD FS). May include but is not limited to: install AD FS server role; exchange certificate with AD FS agents; configure trust policies; configure user and group claim mapping; Windows Server virtualizationCreating and Maintaining Active Directory ObjectsConfigure account policies. May include but is not limited to: domain password policy; account lockout policy; fine-grain password policiesConfiguring Active Directory Certificate ServicesInstall Active Directory Certificate Services. May include but is not limited to: standalone vs. enterprise; CA hierarchies—root vs. subordinate; certificate requests; certificate practice statementConfigure CA server settings. May include but is not limited to: key archival; certificate database backup and restore; assigning administration rolesManage certificate templates. May include but is not limited to: certificate template types; securing template permissions; managing different certificate template versions; key recovery agentManage enrollments. May include but is not limited to: network device enrollment service (NDES); autoenrollment; Web enrollment; smart card enrollment; creating enrollment agentsManage certificate revocations. May include but is not limited to: configure Online Responders; Certificate Revocation List (CRL); CRL Distribution Point (CDP); Authority Information Access (AIA)
21Understanding Server Manager (The “One Stop” Shop) Add Server RolesAD Certificate ServicesAD Domain ServicesAD Federation ServicesAD Lightweight Directory ServicesAD Rights management ServicesAdd “Services”DHCPDNSIISEtcMonitor the ServerEvent ViewerConfigurationStorage
22Configuring AD Certificate Services AD Certificate Services enables you to implement:Secure Socket Layer (SSL)/Transport layer Security (TLS) – HTTPSTwo Factor Authentication – Smart card LogonEncryptionEtcImplements what is referred to as “Public Key” Infrastructure (PKI)Data is encrypted/decrypted by a Public Key (which is “known”), a Private Key (which is highly secured), and an encryption algorithm that relates the two keysSecurity of PKI relies on the Private key being Highly Secure
23Certificate Services Hierarchy Certificate AuthorityEnterprise RootThe “Supreme Key Holder” in an AD PKI InfrastructureIssues Certificates to Subordinate CA’s or ClientsStand-AloneThe “Supreme Key Holder” in a non-AD PKI InfrastructureSubordinateReceives Certificate from Enterprise Root or Stand-Alone CA and issues to Client
24AD CS ComponentsCert Publishers group Certificates are used to increase security by allowing for strong authentication methods. User accounts are placed within the Cert Publishers group if they need to be able to publish security certificates. Generally, these accounts are used by Active Directory security services.PKI-savvy applications These applications allow you and your users to do useful things with certificates, like encrypt or network connections. Ideally, the user shouldn't have to know (or even necessarily be aware) of what the application is doing—everything should work seamlessly and automatically. The best-known examples of PKI-savvy applications are web browsers like Internet Explorer and Firefox and applications like Outlook and Outlook Express.Certificate templates Certificate templates act like rubber stamps: By specifying a particular template as the model you want to use for a newly issued certificate, You're actually telling the CA which optional attributes to add to the certificate, as well as implicitly telling it how to fill in some of the mandatory attributes. Templates greatly simplify the process of issuing certificates because they keep you from having to memorize the names of all the attributes you might potentially want to put in a certificate. In Windows Server 2008, multiple templates are available and you also have the ability to secure templates using template permissions.Online Responder service Some applications—including S/MIME, SSL, EFS, and smart cards—need to validate the status of certificates. The Online Responder service authoritatively responds to such requests.Certification practice statement A Certification practice statement (CPS) is a statement that is issued by a certificate creator. It represents the creator's practices for issuing and validating certificates. The CPS represents the technical, procedural, and personnel policies and practices of the issuing certification authority (CA) organization.Enrollment agents Enrollment agents are administrators who have the ability to enroll users into the certificate services program. Enrollment agents can issue and manage certificate requests.Network device enrollment service (NDES) Network devices such as routers do not have accounts in the Active Directory Domain. The NDES allows such network devices to obtain certificates.Web enrollment With web enrollment, users can easily request certificates and retrieve certificate revocation lists (CRLs) through a web browser.
25Other PKI/AD CS Need to Knows Certificate TemplatesTemplate defines content of the Certificates used for Various PurposesAuto-EnrollmentAuthorized Clients automatically receive a valid certificateCertificate Revocation List (CRL)/CRP Distribution Point (CDP)When a Private Key has been, or is believed to have been compromised, all certificates issued based on that key must be revoked and re-issued
26Understanding AD Domain Services Introducing the New Domain Services Features in Windows Server 2008User interface improvements Domain services are easier to install using the updated Installation Wizard for AD DS.Read-only domain controllers Windows Server 2008 supports a new type of domain controller, the read-only domain controller (RODC).Auditing Previous versions of Microsoft Windows Server supported auditing of successful or unsuccessful changes to Active Directory objects; however, the nature of the change was not included in the Security Log. In Microsoft Windows Server 2008, you can view the new and old values of the object and its attributes.Fine-grained password policies In Microsoft Windows Server 2000 and 2003, domain-based password policies and account lockout policies applied to all users in the domain. There was no inexpensive way to implement multiple such policies for individuals or groups. In Windows Server 2008, fine-grained password policies support multiple password and account lockout policies in the same domain.Restartable Active Directory Domain Services With Microsoft Windows Server 2008, administrators can stop or restart AD DS while other services not dependent on Active Directory (DNS, DHCP, etc.) continue to operate.Database mounting tool. In previous versions of Active Directory, if an object got deleted, an administrator had to load multiple online backups until they found the object to restore. Windows Server 2008 Active Directory includes a database mounting tool (Dsamain.exe) that makes it quicker and easier to find and restore specific data.BitLocker Drive Encryption. Another way to add security in a non-secure location is through the use of BitLocker Drive Encryption. The BitLocker data-protection feature, new to Windows Server 2008, allows an IT administrator to encrypt both the operating system volume and additional data volumes within same server
27AD Federation Services AD Federation Services Overview:Active Directory Federation Services (AD FS) provides Internet-based clients a secure identity access solution that works on both Windows and non-Windows operating systems.Normally when a user from one network tries to access an application in another network, they must have a secondary username and password.AD FS allows organizations to set up trust relationships between networks and supports single sign-on (SSO), which allows users to access applications on other networks without needing secondary passwords. Security is improved and administrators spend less time resetting passwords when users don't have to remember multiple passwords.AD FS requires an AD FS server on both ends of the connection. For example, if company A is going to set up trust relationship with company B, the AD FS server needs to be configured at both company A and company B.
28AD Federation Services (cont) AD Federation Services ConfigurationAD FS Web Agents Administrators have the ability to configure a Windows NT token-based Web Agent. To support this new feature, Windows Server 2008 AD FS includes a user interface for the AD FS Web Agent role service. The Web Agent account is a service account that calls upon other services.Trust policies The AD FS trust policy is a file that outlines the set of rules that a Federation Service uses to recognize partners, certificates, account stores, claims, and the other numerous properties that are associated with the Federation Service.User and group claim mapping In basic terms, claims mean that each partnered location agrees and appropriately maps the AD FS trust policy for sharing between federation partner locations. A claim contains user information and helps users connect to a partner's resources. Three types of claims are supported by AD FS:Identity claim This claim type helps identify the user. The identity claim is included within a security token. A security token can contain up to three identity claims.Group claim This claim type indicates membership in a group or role.Custom claim This claim type provides any additional information that needs to be sent. An example might be DepartmentID. This is a custom field and then in turn would be a custom claim. A custom claim can provide any attribute that is located in Active Directory.
29AD Lightweight Directory Services Active Directory Lightweight Directory Services (AD LDS) Overview:Application protocol used for querying and modifying directory services.Allows directory-enabled applications to store and retrieve data without needing the dependencies AD DS requires.Configuring AD LDSConfiguring an authentication store Let's say that you have a web or data server and you want a way to save authorization information for it. It is in this type of situation that configuring an AD LDS authentication store can help you out. AD LDS works well as an authentication store because it can host user account objects even though they are not Windows security principals. You can authenticate Non-Windows security principles by using LDAP simple binds.Configuring the data within AD LDS Remember, earlier we said that AD LDS is like an address book and you can edit who is in that address book by configuring the data within AD LDS. To configure the data within AD LDS, you can use the ADSI edit snap-in tool.Migrating to AD LDS What if your company was using an X.500-style directory service that was integrated into your company's legacy applications and you want to move to AD DS? You can use AD LDS to service the legacy applications while you use Active Directory for the shared security infrastructure.Windows Server 2008 Hyper-V Windows Server 2008 has a role-based utility called Hyper-V. Hyper-V is a hypervisor-based virtualization feature. (A hypervisor is a virtual machine monitor.) It includes all the necessary features to support machine virtualization. By using machine virtualization, a company can reduce costs, improve server utilization, and create a more dynamic IT infrastructure.
30AD Rights Management Services Active Directory Rights Management Services OverviewActive Directory Rights Management Services (AD RMS), included with Microsoft Windows Server 2008, allows administrators or users to determine what access (open, read, modify, etc.) they give to other users in an organization.Access restrictions can improve security for messages, internal websites, and documentsThese three new administrative roles allow for delegation of AD RMS responsibilities:AD RMS Enterprise AdministratorsAD RMS Template AdministratorsAD RMS AuditorsSelf enrollment AD RMS server enrollment allows for the creation and signing of a server licensor certificate (SLC). This SLC gives the AD RMS server the right to issue certificates and licenses whenever they are needed.Active Directory Metadirectory Service (AD MDS) Microsoft uses an identity management product called Active Directory Metadirectory Service (AD MDS). AD MDS gives systems the tools they need to get identity data from directories and then expose that data through a directory service interface such as LDAP.