1. COMP091 OS1 Active Directory

2. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still foreign) –No central authentication –Users invent workgroup names freely Workgroup names really just make it easier to find computers on the network –Accounting –Payroll No effective security role

3. Windows Domains More or less simultaneously, NT introduced real networking (tcp/ip) And windows domain concept –Name resolution still based on primitive broadcast protocols –And self-configuring WINS servers But a central directory was introduced to control access to domain resources and to authenticate users

4. Domain Controllers With central authentication and access control, there needs to be a central database Primary Domain Controllers and Backup Domain Controllers served that function in early NT systems Notice that centralised authentication calls for –Authentication mechanism –A database –A backup authentication mechanism –A database replication mechanism Domain Controllers offered primitive versions of these functions

5. NDS While windows was deploying NT Domain controller based networking, the competition was way ahead Novel's NDS had –Flexible and extensible LDAP based directory –Sophisticated replication strategy –Authentication service –Fine grained ACL –All types of resources in the directory Printers, computers, users, groups

6. NDS MS response originally called NTDS –Maybe too similar to NDS Now called Active Directory

7. Active Directory Active directory includes –Flexible and extensible LDAP based directory –Sophisticated replication strategy –Authentication service –Fine grained ACL –All types of resources in the directory Printers, computers, users, groups DNS based computer names –But WINS servers still required

8. AD Data Structures NT PDC/BDC intended to serve one domain So Accounting might have one, and Payroll too AD wants a unified database –So an accounting login can have access to payroll resources AD extends this functionality to globally distributed organisations Geographically disparate AD installations can each house a partition of an enterprise AD database –But trust relationships can be enterprise wide

9. AD Trust Relationships AD domains can “trust” other active directory domains This really means that an AD domain can trust the users in another domain Trusted users from the other domain can be given access to resources in the trusting domain Accounting users can be given access to files owned by the Payroll Department This is only possible because the two domains are part of the same AD database

10. Objects and Attributes AD database contains information on many different types of things Collectively called objects Some objects can be “containers” of other objects –A domain can contain sub-domains –Producing a hierarchical tree-like structure Objects are defined by values of attributes Objects of the same “class” have same attributes –But different attribute values

11. Active Directory Objects and Attributes

12. Forests and Trees Container objects contain other objects, which may in turn contain objects The resulting hierarchy is called a tree, with root objects, branch objects and leaf objects An AD database can contain more than one tree The collection of trees in an AD database is called a Forest

13. Domain Tree

14. Forest of Trees

15. Organizational Units An alternative to breaking a domain down into sub-domains is to establish organizational units –Think of departments These are also containers –For users, files, computers etc. Administration can be delegated to an OU administrator

16. OU Container

17. Trusts Implicit Two-Way Transitive Trust –Parent and child domains Automatic –If Domain A trusts Domain B, and Domain B trusts Domain C, then Domain A trusts Domain C –Hence all domains in tree trust each other –Limited implicit trust between roots of trees in a forest

18. Trusts Explicit One-Way Non-transitive Trust –Must be declared –Domains in different trees or forests, or NT domains –Only applies to explicitly declared domains

19. Two Types of Trust Relationships

20. Trusting Everyone -- Replication In order to trust users in another domain, there needs to be access to the other domain's user list Some domain data is replicated to the global catalog Some domain controllers are designated as Global Catalog Servers The global catalog is replicated to all Global Catalog Servers Access to resources outside of your domain requires access to a global catalog server

21. Replication for Redundancy Global catalog is replicated to ensure global access Entire domain database is replicated to ensure continuous availability Multiple controllers for each domain Multiple global catalog servers in the forest Replication configuration is complex Allows for fast replication of some data –Within site –New users Slower replication of other data –Across slower links –Less critical information

22. Assigning Permissions - Groups Access to resources can be assigned to each user individually –Too much administrative overhead Instead, users can be assigned to groups And permissions then granted to the group Groups can contain groups Users get their own rights, plus the rights of their group, plus the rights of groups their group is in

23. Types of Groups Global Group –Members restricted to local domain Domain Local Group –Rights restricted to resources in local domain Universal Group –Any users, any resource Default groups –Domain Admins –Domain Guests –Domain Users –etc.

24. Group Policy Not the same groups as used to assign permissions Policy group is either: –Computer, Site, Domain or OU Policies contain user and computer related configuration information Can apply to any arbitrary set of users if the set of users is a complete domain or OU But user is in only one OU, (unless contained in tree) so only one policy will apply –Which sometimes makes sense

25. Group Policy Objects Create specific desktop configurations for particular groups of users. Collections of group policy settings. Computer has one local GPO and any number of AD-based GPOs. Local GPO can be overridden by other GPOs, Local GPO is the least influential in an Active Directory environment.

26. Group Policy Priority Local GPO: –Computer has one GPO stored locally. Site GPOs: –GPOs linked to site are processed next –Administrator specifies the order of GPOs linked to a site.

27. Group Policy Priority Domain GPOs: –Domain-linked GPOs are processed next –Administrator specifies the order of GPOs linked to a domain. OU GPOs: –GPOs linked to the OU highest in the Active Directory hierarchy are processed first, followed by GPOs linked to its child OU, and so on

29. Group Policy Settings Some apply to users –Based on user's domain and OUs –Applied when user logs in Some apply to computer –Based on computer's domain and OUs –Applied when the OS initializes Include Software Settings, Windows Settings, and Administrative Templates

30. GPO Contents Scripts –Logon/Logoff and Startup/Shutdown Security Settings –Applied after security template Other software settings e.g. IE parameters Administrative Templates –HKEY_LOCAL_MACHINE (HKLM) –HKEY_CURRENT_USER (HKCU)

32. Aligning Policy Groups with Security Groups Policy groups are based on Domains and OUs Security Groups can be arbitrary and users can belong to multiple security groups To have GPOs for a security group –Creat GPO for each group –Apply all GPOs at top level (Domain) –Grant security group read access to the GPO that should be applied to its members

33. GPO for Security Group

34. Resources Old but authoritative –http://technet.microsoft.com/en- us/library/bb742424.aspx A tutorial –http://searchwindowsserver.techtarget.com/tutoria l/Active-Directory-Tutorial A collection –http://www.petri.co.il/ad.htm Wikipedia –http://en.wikipedia.org/wiki/Active_Directory