Presentation on theme: "Windows 2008 Active Directory Configuration – Week 3 of 6 Microsoft Test: 70-640 Mark McCoy MCSE, CNE, CISSP."— Presentation transcript:
Windows 2008 Active Directory Configuration – Week 3 of 6 Microsoft Test: Mark McCoy MCSE, CNE, CISSP
Week 3 Agenda Review Week 2: Ch 3 - Planning and Installation of Active Directory Ch 4 - Installing and Managing Trees and Forests Week 3 Discussion: Ch 5 – Configuring Sites and Replication Ch 6 - Configuring Active Directory Server Roles Questions & Answers Week 3 Homework Assignment
Chapter 1 – Overview of Active Directory The Windows NT 4 Domain Construct (the Roots of The Active Directory Tree and Forest) The Benefits of Active Directory The Logical Structure of Active Directory Understanding Active Directory Objects Windows 2008 Server Roles Identity and Access (IDA) in Active Directory Exam Essentials
Comparison of Domain Functional Level Capabilities Domain Functional FeatureWindows 2000 NativeWindows Server 2003Windows Server 2008 Fine-grained password policies.Disabled Enabled Read-only domain controller (RODC).DisabledEnabled Last interactive logon information.Disabled Enabled Advanced Encryption Services (AES 128 and 256) support for the Kerberos protocol. Disabled Enabled Distributed File System replication support for Sysvol. Disabled Enabled Ability to Redirect the Users and Computers containers. DisabledEnabled Ability to rename domain controllers.DisabledEnabled Logon Time stamp updates.DisabledEnabled Kerberos KDC key version numbers.DisabledEnabled InetOrgPerson objects can have passwords.DisabledEnabled Converts NT groups to domain local and global groups. Enabled SID history.Enabled Group nesting.Enabled Universal groups.Enabled
NTDSUTIL Command Options ntdsutil Domain Management CommandPurpose Help or?Displays information about the commands that are available within the Domain Management menu of the ntdsutil command. Connection or ConnectionsAllows you to connect to a specific domain controller. This will set the context for further operations that are performed on specific domain controllers. Create NC PartitionDistinguishedName DNSNameCreates a new application directory partition. Delete NC PartitionDistinguishedNameRemoves an application data partition. List NC Information PartitionDistinguishedNameShows information about the specified application data partition. List NC Replicas PartitionDistinguishedNameReturns information about all replicas for the specific application data partition. Precreate PartitionDistinguishedName ServerDNSNamePrecreates cross-reference application data partition objects. This allows the specified DNS server to host a copy of the application data partition. Remove NC Replica PartitionDistinguishedName DCDNSNameRemoves a replica from the specified domain controller. Select Operation TargetSelects the naming context that will be used for other operations. Set NC Reference Domain PartitionDistinguisedName DomainDistinguishedName Specifies the reference domain for an application data partition. Set NC Replicate NotificationDelay PartitionDistinguishedName FirstDCNotificationDelay OtherDCNotificationDelay Defines settings for how often replication will occur for the specified application data partition.
Chapter 3 – Exam Essentials Know the prerequisites for promoting a server to a domain controller. You should understand the tasks that you must complete before you attempt to upgrade a server to a domain controller. Also, you should have a good idea of the information you need in order to complete the domain controller promotion process. Understand the steps of the Active Directory Installation Wizard (DCPROMO). When you run the Active Directory Installation Wizard, you'll be presented with many different choices. You should understand the effects of the various options provided in each step of the wizard. Be familiar with the tools that you will use to administer Active Directory. Three main administrative tools are installed when you promote a Windows Server 2008 to a domain controller. Be sure you know which tools to use for which types of tasks. Understand the purpose of application data partitions. The idea behind application data partitions is that, since you already have a directory service that can replicate all kinds of security information, you can also use it to keep track of application data. The main benefit of storing application information in Active Directory is that you can take advantage of its storage mechanism and replication topology. Application-related information stored on domain controllers benefits from having fault-tolerance features and availability.
Creating Domain Trees and Forests (CONT)
Chapter 4 Exam Essentials Understand the reasons for using multiple domains There are seven primary reasons for using multiple domains: they provide additional scalability, they reduce replication traffic, they help with political and organizational issues, they provide many levels of hierarchy, they allow for decentralized administration, legality, and they allow for multiple DNS or domain names. Understand the drawbacks of using multiple domains With multiple domains, maintaining administrative consistency is more difficult. The number of administrative units multiplies as well, which makes it difficult to keep track of network resources. Finally, it is much more difficult to rearrange the domain topology within an Active Directory environment than it is to simply reorganize OUs. Know how to create a domain tree To create a new domain tree, you need to promote a Windows Server 2008 computer to a domain controller, select the option that makes this domain controller the first machine in a new domain, and make that domain the first domain of a new tree. The result is a new domain tree. Know how to join a domain tree to a forest Creating a new tree to form or add to a forest is as simple as promoting a server to a domain controller for a new domain that does not share a namespace with an existing Active Directory domain. In order to add a domain to an existing forest, you must already have at least one other domain. This domain serves as the root domain for the entire forest. Understand how to manage single-master operations Single-master operations must be performed on specially designated machines within the Active Directory forest. There are five main single-master functions: two that apply to an entire Active Directory forest (Schema Master and Domain Naming Master) and three that apply to each domain (RID Master, PDC Emulator Master, and Infrastructure Master). Understand how to manage trusts When configuring trusts, you'll need to consider two main characteristics: transitivity and direction. The simplest way to understand transitive relationships is through an example like the following: If Domain A trusts Domain B and Domain B trusts Domain C, then Domain A implicitly trusts Domain C. Trusts can be configured as intransitive so that this type of behavior does not occur. In one-way relationships, the trusting domain allows resources to be shared with the trusted domain. In two-way relationships, both domains trust each other equally. Special trusts include external trusts, realm trusts, cross-forest trusts, and shortcut trusts. Understand how to manage UPN suffixes By default, the name of the domain in which the user is created determines the UPN suffix. By adding additional UPN suffixes to the forest, you can easily choose more manageable suffixes when it comes time to create new users. Understand how to manage Global Catalog (GC) servers You can configure any number of domain controllers to host a copy of the GC. The GC contains all of the schema information and a subset of the attributes for all domains within the Active Directory environment. Servers that contain a copy of the GC are known as GC servers. Whenever a user executes a query that requires information from multiple domains, they need only contact the nearest GC server for this information. Similarly, when users must authenticate across domains, they will not have to wait for a response from a domain controller that may be located across the world. The end result is increased overall performance of Active Directory queries. Understanding Universal Group Membership Caching You can enable a domain controller as a universal group membership caching server. The universal group membership caching machine will then send a request for the logon authentication of a user to the GC server. The GC will then send the information back to the universal group membership caching server to be cached locally for 8 hours (by default). The user can then authenticate without the need to contact the GC again.
Chapter 5 - Configuring Sites and Replication Chapter 5 Exam Objectives Overview of Network Planning Overview of Active Directory Replication and Sites Implementing Sites and Subnets Configuring Replication Monitoring and Troubleshooting Active Directory Replication Exam Essentials
Chapter 5 Exam Objectives Configuring the Active Directory Infrastructure Configure sites. May include but is not limited to: create Active Directory subnets; configure site links; configure site link costing; configure sites infrastructure Configure Active Directory replication. May include but is not limited to: Distributed File System; one- way replication; Bridgehead server; replication scheduling; configure replication protocols; force intersite replication
Overview of Network Planning Three Types of Networks LAN: Well-Connected/Reliable Fast Link Speeds (10M – Gigabit) WAN: Somewhat unreliable Slower Link speeds (56K – 1.5M) Internet Network Constraints Bandwidth Cost
Overview of AD Replication and Sites Replication Active Directory Database is copied, in a Multi- Master fashion, from One to All Domain Controllers Sites represent the Physical Structure of the Organization Replication Building Blocks Site Subnet Site Links Bridgehead Server
Replication Building Blocks Site Physical Location within the company Contains Domain Controller (s) that must replicate with each other, within a site and between sites Can contain a single Domain or Multiple Domains Subnet The IP Subnet that defines the Site from a Routing Perspective Site Link The Physical Connectivity from one site to another within the company The Site Link will be given a relative cost, which will be assigned a lower value for faster links Link transport protocol can be via RPC over IP or SMTP Bridgehead Server Server within a site that is Speaks for the Site when replicating AD information to another site DCs within a site replicate with their Bridgehead Server and the Bridgehead Server replicates AD data to other sites, conserving bandwidth
Implementing Sites and Subnets A Site in Active Directory, represents a physical location with a company CBSHOME Real Estate Sites may be as follows: Agent Services West Dodge Sales Office Northwest Sales Office Davenport Sales Etc Each site is associated with an IP Subnet CBSHOME Subnets would be as follows: Agent Services: /24 West Dodge Sales Office: /24 Northwest Sales Office: /24 Davenport Sales Office: /24 Etc Each site can contain one or more Domains CBSHOME Sites contain one Domain Two or more Domains can be co-located within a single site At least one Domain Controller/Global Catalog Server should be placed in each site to provide better Authentication and Resource Location response times. Lets create a few Sites and Subnets using AD Sites and Services Snap-in….
Configuring Replication Replication Comes in Two Flavors Intra-Site (DCs within a site Replicate AD Data with one Another) Normally uses RPC over IP due to link being well-connected and reliable Inter-Site (DCs from One Site Replicate AD Data with DCs in another Site) Normally uses SMTP due to link being somewhat unreliable Can also use RPC over IP is link is reliable Site Link properties (which link Sites and their IP Subnets) are used to control replication time and frequencies between sites (which are assumed to be WAN links that are slow and somewhat unreliable) A Bridgehead Server can be defined in a site to handle the Inter-Site replication to cut down on some of the Inter-Site replication traffic. Lets configure a few Site Links and maybe a bridgehead server…
Monitoring and Troubleshooting AD Replication Monitoring Replication System Monitor Event Viewer (available within Server manager) Troubleshooting Replication Verify Network Connectivity Verify Firewall and Router Configuration Verifying That Information is Synchronized Verifying the Replication Topology
Chapter 5 Exam Essentials Understand the purpose of Active Directory replication. Replication is used to keep domain controllers synchronized and is important in Active Directory environments of all sizes. Replication is the process by which changes to the Active Directory database are transferred between domain controllers. Understand the concept of sites, site boundaries, and subnets. Subnets define physical portions of your network environment. Sites are defined as collections of well-connected IP subnets. Site boundaries are defined by the subnet or subnets that you include in your site configuration. Understand the differences between intrasite and intersite replication. Intrasite replication is designed to synchronize Active Directory information to machines that are located in the same site. Intersite replication is used to synchronize information for domain controllers that are located in different sites. Understand the purpose of bridgehead servers. Bridgehead servers are designed to accept traffic between two remote sites and to then forward this information to the appropriate servers. One way to efficiently synchronize data between sites that are connected with slow connections is to use a bridgehead server. Implement site links, site link bridges, and connection objects. You can use all three of these object types to finely control the behavior of Active Directory replication and to manage replication traffic. Site links are created to define the types of connections that are available between the components of a site. Site links can reflect a relative cost for a network connection and can reflect the bandwidth that is available for communications. You can use site link bridges to connect site links together so that the relationship can be transitive. Connection objects provide you with a way to set up special types of replication schedules such as immediate replication on demand or specifying a custom schedule for certain servers. Configure replication schedules and site link costs. You can create multiple site links between sites and you can assign site links a cost value based on the type of connection. The systems administrator determines the cost value, and the relative costs of site links are then used to determine the optimal path for replication. The lower the cost, the more likely the link is to be used for replication. Once you've determined how and through which connections replication will take place, it's time to determine when information should be replicated. Replication requires network resources and occupies bandwidth. Therefore, you need to balance the need for consistent directory information with the need to conserve bandwidth. Determine where to place domain controllers and Global Catalog servers based on a set of requirements. Where you place domain controllers and Global Catalog servers can positively affect the performance of Active Directory operations. However, to optimize performance, you need to know where the best places are to put these servers in a network environment that consists of multiple sites. Monitor and troubleshoot replication. The Windows Server 2008 System Monitor administrative tool is designed so that you can monitor many performance statistics associated with using Active Directory. In addition to this monitoring, you should always verify basic network connectivity and router and firewall connections, as well as examine the event logs.
Chapter 6 - Configuring Active Directory Server Roles Understanding Server Manager Configuring Active Directory Certificate Services Understanding Active Directory Domain Services Active Directory Federation Services Active Directory Lightweight Directory Services Active Directory Rights Management Services Exam Essentials
Chapter 6 Exam Objectives Configuring Additional Active Directory Server Roles Configure Active Directory Lightweight Directory Service (AD LDS). May include but is not limited to: migration to AD LDS; configure data within AD LDS; configure an authentication server; server core; Windows Server 2008 Hyper-V Configure Active Directory Rights Management Service (AD RMS). May include but is not limited to: certificate request and installation; self-enrollments; delegation; Active Directory Metadirectory Services (AD MDS); Windows Server virtualization Configure the read-only domain controller (RODC). May include but is not limited to: unidirectional replication; Administrator role separation; read-only DNS; BitLocker; credential caching; password replication; syskey; Windows Server virtualization Configure Active Directory Federation Services (AD FS). May include but is not limited to: install AD FS server role; exchange certificate with AD FS agents; configure trust policies; configure user and group claim mapping; Windows Server virtualization Creating and Maintaining Active Directory Objects Configure account policies. May include but is not limited to: domain password policy; account lockout policy; fine-grain password policies Configuring Active Directory Certificate Services Install Active Directory Certificate Services. May include but is not limited to: standalone vs. enterprise; CA hierarchies root vs. subordinate; certificate requests; certificate practice statement Configure CA server settings. May include but is not limited to: key archival; certificate database backup and restore; assigning administration roles Manage certificate templates. May include but is not limited to: certificate template types; securing template permissions; managing different certificate template versions; key recovery agent Manage enrollments. May include but is not limited to: network device enrollment service (NDES); autoenrollment; Web enrollment; smart card enrollment; creating enrollment agents Manage certificate revocations. May include but is not limited to: configure Online Responders; Certificate Revocation List (CRL); CRL Distribution Point (CDP); Authority Information Access (AIA)
Understanding Server Manager (The One Stop Shop) Add Server Roles AD Certificate Services AD Domain Services AD Federation Services AD Lightweight Directory Services AD Rights management Services Add Services DHCP DNS IIS Etc Monitor the Server Event Viewer Configuration Storage Etc
Configuring AD Certificate Services AD Certificate Services enables you to implement: Secure Socket Layer (SSL)/Transport layer Security (TLS) – HTTPS Two Factor Authentication – Smart card Logon Encryption Etc Implements what is referred to as Public Key Infrastructure (PKI) Data is encrypted/decrypted by a Public Key (which is known), a Private Key (which is highly secured), and an encryption algorithm that relates the two keys Security of PKI relies on the Private key being Highly Secure
Certificate Services Hierarchy Certificate Authority Enterprise Root The Supreme Key Holder in an AD PKI Infrastructure Issues Certificates to Subordinate CAs or Clients Stand-Alone The Supreme Key Holder in a non-AD PKI Infrastructure Issues Certificates to Subordinate CAs or Clients Subordinate Receives Certificate from Enterprise Root or Stand-Alone CA and issues to Client
AD CS Components Cert Publishers group Certificates are used to increase security by allowing for strong authentication methods. User accounts are placed within the Cert Publishers group if they need to be able to publish security certificates. Generally, these accounts are used by Active Directory security services. PKI-savvy applications These applications allow you and your users to do useful things with certificates, like encrypt or network connections. Ideally, the user shouldn't have to know (or even necessarily be aware) of what the application is doingeverything should work seamlessly and automatically. The best- known examples of PKI-savvy applications are web browsers like Internet Explorer and Firefox and applications like Outlook and Outlook Express. Certificate templates Certificate templates act like rubber stamps: By specifying a particular template as the model you want to use for a newly issued certificate, You're actually telling the CA which optional attributes to add to the certificate, as well as implicitly telling it how to fill in some of the mandatory attributes. Templates greatly simplify the process of issuing certificates because they keep you from having to memorize the names of all the attributes you might potentially want to put in a certificate. In Windows Server 2008, multiple templates are available and you also have the ability to secure templates using template permissions. Online Responder service Some applicationsincluding S/MIME, SSL, EFS, and smart cardsneed to validate the status of certificates. The Online Responder service authoritatively responds to such requests. Certification practice statement A Certification practice statement (CPS) is a statement that is issued by a certificate creator. It represents the creator's practices for issuing and validating certificates. The CPS represents the technical, procedural, and personnel policies and practices of the issuing certification authority (CA) organization. Enrollment agents Enrollment agents are administrators who have the ability to enroll users into the certificate services program. Enrollment agents can issue and manage certificate requests. Network device enrollment service (NDES) Network devices such as routers do not have accounts in the Active Directory Domain. The NDES allows such network devices to obtain certificates. Web enrollment With web enrollment, users can easily request certificates and retrieve certificate revocation lists (CRLs) through a web browser.
Other PKI/AD CS Need to Knows Certificate Templates Template defines content of the Certificates used for Various Purposes Auto-Enrollment Authorized Clients automatically receive a valid certificate Certificate Revocation List (CRL)/CRP Distribution Point (CDP) When a Private Key has been, or is believed to have been compromised, all certificates issued based on that key must be revoked and re-issued
Understanding AD Domain Services Introducing the New Domain Services Features in Windows Server 2008 User interface improvements Domain services are easier to install using the updated Installation Wizard for AD DS. Read-only domain controllers Windows Server 2008 supports a new type of domain controller, the read-only domain controller (RODC).read-only domain controller (RODC). Auditing Previous versions of Microsoft Windows Server supported auditing of successful or unsuccessful changes to Active Directory objects; however, the nature of the change was not included in the Security Log. In Microsoft Windows Server 2008, you can view the new and old values of the object and its attributes. Auditing Fine-grained password policies In Microsoft Windows Server 2000 and 2003, domain-based password policies and account lockout policies applied to all users in the domain. There was no inexpensive way to implement multiple such policies for individuals or groups. In Windows Server 2008, fine-grained password policies support multiple password and account lockout policies in the same domain. Restartable Active Directory Domain Services With Microsoft Windows Server 2008, administrators can stop or restart AD DS while other services not dependent on Active Directory (DNS, DHCP, etc.) continue to operate. Database mounting tool. In previous versions of Active Directory, if an object got deleted, an administrator had to load multiple online backups until they found the object to restore. Windows Server 2008 Active Directory includes a database mounting tool (Dsamain.exe) that makes it quicker and easier to find and restore specific data. BitLocker Drive Encryption. Another way to add security in a non-secure location is through the use of BitLocker Drive Encryption. The BitLocker data-protection feature, new to Windows Server 2008, allows an IT administrator to encrypt both the operating system volume and additional data volumes within same server
AD Federation Services AD Federation Services Overview: Active Directory Federation Services (AD FS) provides Internet- based clients a secure identity access solution that works on both Windows and non-Windows operating systems. Normally when a user from one network tries to access an application in another network, they must have a secondary username and password. AD FS allows organizations to set up trust relationships between networks and supports single sign-on (SSO), which allows users to access applications on other networks without needing secondary passwords. Security is improved and administrators spend less time resetting passwords when users don't have to remember multiple passwords. AD FS requires an AD FS server on both ends of the connection. For example, if company A is going to set up trust relationship with company B, the AD FS server needs to be configured at both company A and company B.
AD Federation Services (cont) AD Federation Services Configuration AD FS Web Agents Administrators have the ability to configure a Windows NT token- based Web Agent. To support this new feature, Windows Server 2008 AD FS includes a user interface for the AD FS Web Agent role service. The Web Agent account is a service account that calls upon other services. Trust policies The AD FS trust policy is a file that outlines the set of rules that a Federation Service uses to recognize partners, certificates, account stores, claims, and the other numerous properties that are associated with the Federation Service. User and group claim mapping In basic terms, claims mean that each partnered location agrees and appropriately maps the AD FS trust policy for sharing between federation partner locations. A claim contains user information and helps users connect to a partner's resources. Three types of claims are supported by AD FS: Identity claim This claim type helps identify the user. The identity claim is included within a security token. A security token can contain up to three identity claims. Group claim This claim type indicates membership in a group or role. Custom claim This claim type provides any additional information that needs to be sent. An example might be DepartmentID. This is a custom field and then in turn would be a custom claim. A custom claim can provide any attribute that is located in Active Directory.
AD Lightweight Directory Services Active Directory Lightweight Directory Services (AD LDS) Overview: Application protocol used for querying and modifying directory services. Allows directory-enabled applications to store and retrieve data without needing the dependencies AD DS requires. Configuring AD LDS Configuring an authentication store Let's say that you have a web or data server and you want a way to save authorization information for it. It is in this type of situation that configuring an AD LDS authentication store can help you out. AD LDS works well as an authentication store because it can host user account objects even though they are not Windows security principals. You can authenticate Non-Windows security principles by using LDAP simple binds. Configuring the data within AD LDS Remember, earlier we said that AD LDS is like an address book and you can edit who is in that address book by configuring the data within AD LDS. To configure the data within AD LDS, you can use the ADSI edit snap-in tool. Migrating to AD LDS What if your company was using an X.500-style directory service that was integrated into your company's legacy applications and you want to move to AD DS? You can use AD LDS to service the legacy applications while you use Active Directory for the shared security infrastructure. Windows Server 2008 Hyper-V Windows Server 2008 has a role-based utility called Hyper-V. Hyper-V is a hypervisor-based virtualization feature. (A hypervisor is a virtual machine monitor.) It includes all the necessary features to support machine virtualization. By using machine virtualization, a company can reduce costs, improve server utilization, and create a more dynamic IT infrastructure.
AD Rights Management Services Active Directory Rights Management Services Overview Active Directory Rights Management Services (AD RMS), included with Microsoft Windows Server 2008, allows administrators or users to determine what access (open, read, modify, etc.) they give to other users in an organization. Access restrictions can improve security for messages, internal websites, and documents These three new administrative roles allow for delegation of AD RMS responsibilities: AD RMS Enterprise Administrators AD RMS Template Administrators AD RMS Auditors Self enrollment AD RMS server enrollment allows for the creation and signing of a server licensor certificate (SLC). This SLC gives the AD RMS server the right to issue certificates and licenses whenever they are needed. Active Directory Metadirectory Service (AD MDS) Microsoft uses an identity management product called Active Directory Metadirectory Service (AD MDS). AD MDS gives systems the tools they need to get identity data from directories and then expose that data through a directory service interface such as LDAP.
Questions and Answers
Week 3 Assignment/Homework Week 4 Reading: Read Chapter 7: Administering Active Directory Read Chapter 8: Configuring Group Policy Objects