Presentation on theme: "ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTS"— Presentation transcript:
1 ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTS Chapter 2ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTSTitle Slide
2 Chapter 2: ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTS OVERVIEWExplain the purpose of an application directory partitionConfigure and manage application directory partitions using the Ntdsutil utilityConfigure and manage trust relationshipsExplain the difference between external trusts, shortcut trusts, and cross-forest trusts, and describe the situations in which each is appropriateDiscuss the topics covered in this chapter. This chapter builds on the information presented in Chapter 1, “Reviewing Microsoft Active Directory Concepts,” by examining some of the more advanced features available in the Active Directory directory service on Microsoft Windows Server The chapter overview is continued on the next slide.
3 Chapter 2: ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTS OVERVIEW (CONTINUED)Understand the purpose of user principal name (UPN) suffixes, as well as how to define additional UPN suffixes by using Active Directory Domains And TrustsUnderstand the purpose of the Active Directory schemaIdentify the key considerations associated with making changes to the Active Directory schemaUnderstand when to extend the Active Directory schema, as well as deactivate or reactivate existing classes and attributesContinue to introduce the topics covered in this chapter.
4 MANAGING APPLICATION DIRECTORY PARTITIONS Chapter 2: ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTSMANAGING APPLICATION DIRECTORY PARTITIONSA partition is a segment of Active Directory that stores a particular type of information.Windows Server 2003 supports the four existing partition types from Microsoft Windows 2000 Active Directory and one new partition type: application partitions.Application partitions can exist only on domain controllers running Windows Server 2003.Explain the function and purpose of application directory partitions. Application directory partitions can be thought of as separate elements from the actual Active Directory, but they are administered through Active Directory. Using the example provided in the textbook of Active Directory-integrated Domain Name System (DNS), discuss how application partitions can take advantage of the replication system built into Active Directory.
5 NAMING APPLICATION DIRECTORY PARTITIONS Chapter 2: ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTSNAMING APPLICATION DIRECTORY PARTITIONSAn application directory partition is part of the overall forest namespace and is named accordingly.An application directory partition can be placed in:A child of a domain partitionA child of an application directory partitionA new tree in the forestDiscuss application directory partition naming and provide some examples by drawing a basic tree or forest structure on a whiteboard and inserting application directory partitions at various points. After providing an example or two, draw an application partition in the structure and have students provide the correct name for the object.
6 APPLICATION DIRECTORY PARTITION REPLICATION Chapter 2: ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTSAPPLICATION DIRECTORY PARTITION REPLICATIONThe knowledge consistency checker (KCC) automatically generates and maintains the replication topology for all application directory partitions in a forest.When an application directory partition has replicas in more than one site, those replicas follow the same intersite replication schedule as a domain partition.Objects stored in an application directory partition are never replicated to the global catalog.Application directory partitions should be replicated to all sites and domains in which users require regular access to that data.Replication delays can be configured using the Ntdsutil utility.Discuss application directory partition replication. A detailed discussion of application directory partitions and replicas follows.
7 APPLICATION DIRECTORY PARTITIONS AND DOMAIN CONTROLLER DEMOTION Chapter 2: ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTSAPPLICATION DIRECTORY PARTITIONS AND DOMAIN CONTROLLER DEMOTIONExplain to students the importance of considering application directory partition placement when a computer that is a domain controller is to be demoted. To make sure students understand what is being discussed, explain that domain controller demotion is the process of removing Active Directory from the system, thus turning it into a member server. Discuss the various points detailed in the book, but stress that in basic terms you must ensure that another replica of the application directory partition exists on another Windows Server 2003 system before you perform the demotion. The only exception to this is if you have determined that you no longer need that application directory partition. Demonstrate the use of the Active Directory Installation Wizard (as shown in the slide) to determine what replicas of an application directory partition are present on other servers.
8 SECURITY DESCRIPTOR REFERENCE DOMAIN Chapter 2: ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTSSECURITY DESCRIPTOR REFERENCE DOMAINSecurity descriptors control the type of access allowed by users, groups, and computers.If the object or container is not assigned a security descriptor by the application or service that created it, the default security descriptor for that object class as defined in the schema is assigned.If you plan to change the settings in the security descriptor reference domain of a particular application directory partition, you should do so before creating the first instance of that partition.Explain the purpose and function of security descriptors. Security descriptors represent a fairly advanced topic, even for Microsoft Certified Systems Engineers (MCSEs). For that reason, take a moment to explain their function and purpose.
9 ADMINISTERING APPLICATION DIRECTORY PARTITIONS Chapter 2: ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTSADMINISTERING APPLICATION DIRECTORY PARTITIONSCreate or delete an application directory partitionAdd or remove an application directory partition replicaDisplay application directory partition informationSet a notification delayThis slide lists some of the tasks associated with the management of application directory partitions. Detailed discussion of these topics follows.
10 CREATING OR DELETING AN APPLICATION DIRECTORY PARTITION Chapter 2: ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTSCREATING OR DELETING AN APPLICATION DIRECTORY PARTITIONDemonstrate the process of creating and deleting an application directory partition using Ntdsutil. Explain to students that, although it is okay to do this in a classroom environment for the purposes of demonstration, in a live environment, careful consideration and planning should go into the creation or deletion of an application directory partition.
11 ADDING OR REMOVING AN APPLICATION DIRECTORY PARTITION REPLICA Chapter 2: ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTSADDING OR REMOVING AN APPLICATION DIRECTORY PARTITION REPLICAA replica is a copy of the application partition created on another domain controller.Multiple replicas can be created for fault tolerance and load balancing.Needlessly creating multiple replicas can create unnecessary network traffic.Explain to students the difference between creating or deleting an application directory partition and adding or removing (note the different terminology) partition replicas. Adding an application partition replica is simply the process of making another copy of the application partition. It is not the creation of a new application partition. The same is true when removing a replica. It is not the same thing as deleting the application partition. Discuss the circumstances under which you would create more than one application partition—namely, to increase fault tolerance and improve performance. Caution students against creating unnecessary replicas of an application partition, which simply create more network traffic.
12 DISPLAYING APPLICATION DIRECTORY PARTITION INFORMATION Chapter 2: ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTSDISPLAYING APPLICATION DIRECTORY PARTITION INFORMATIONDemonstrate the use of Ntdsutil to list the domain controllers that are members of a replica set for a directory partition.
13 SETTING REPLICATION NOTIFICATION DELAYS Chapter 2: ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTSSETTING REPLICATION NOTIFICATION DELAYSReplication notification delays are configured using Ntdsutil.Delays can be used to control the time between updates between domain controllers.Discuss setting replication notification delays and demonstrate the process of configuring delays with Ntdsutil. To configure a delay using Ntdsutil, the distinguished name of the partition is required. Although the example in the book cites the prevention of an incorrect change as a reason to delay replication, a more common reason is simply to allow changes to be propagated through the network in a more staggered fashion. This can be particularly relevant if you are performing an operation that will take some time to complete. Delaying replication can prevent a replication cycle from occurring midprocess, which in turn would cause only partial changes to be replicated between domain controllers.
14 MANAGING TRUST RELATIONSHIPS Chapter 2: ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTSMANAGING TRUST RELATIONSHIPSLogical links between domains and forests allow resource access from one element to another.Trust relationships:Can be created either manually or automaticallyCan be either transitive or nontransitiveCan be either one-way or two-wayStudents should already be familiar with the concept of trust relationships from their studies of Windows 2000; however, because trust relationships are a background technology, it is worth discussing the concept from the ground up. Explain that without trust relationships, each user would need an account in every domain that hosts a resource to which the user requires access. This approach would be highly impractical in large environments with a number of domains. Explain that in Windows Server 2003, some trust relationships, such as those between domains in a tree, are created automatically and cannot be deleted or altered. Others, such as trusts between forests, must be created manually. The actual process of creating trusts is discussed on the slides that follow.
15 UNDERSTANDING TRUST TYPES Chapter 2: ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTSUNDERSTANDING TRUST TYPESTree–root trustParent–child trustShortcut trustRealm trustExternal trustForest trustDiscuss each of the trust types, and explain when each is used, using the bullet points in the textbook as a guide. Then discuss the difference between an incoming and outgoing trust. Reinforce the importance of understanding the difference between incoming and outgoing trusts when establishing trust relationships. Also reinforce the information contained in the note “Trust Does Not Guarantee Automatic Access” in the chapter. This is a very important concept and one that is misunderstood by many students. The establishment of a trust does not grant users in the trusted domain access, it simply makes it possible to grant those users access.
16 UNDERSTANDING FOREST TRUSTS Chapter 2: ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTSUNDERSTANDING FOREST TRUSTSAllow a single trust to be created between two trees, rather than between each of the domains in the two treesOnly available when both trees are configured at a Windows Server 2003 forest functional levelDiscuss the use of forest trusts and explain when such a configuration might become relevant, for example, when two companies, each with an Active Directory forest, merge. Using the bullet points in the textbook as a guide, explain some of the benefits associated with forest trusts. As discussed in the textbook, ensure students understand why forest trusts are transitive.Although these trusts are called “forest trusts,” they are just trusts between the root domains of two forests; they aren’t actually some “higher level” type of trust that deals with forests rather than domains. Forest trusts are not transitive. They do not propagate across forest boundaries.
17 PLANNING TRUST RELATIONSHIPS Chapter 2: ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTSPLANNING TRUST RELATIONSHIPSWhen to create a shortcut trustWhen to create a realm trustWhen to create an external trustWhen to create a forest trustUse this slide to introduce the upcoming sections that discuss the situations in which you would create each different type of trust. Detailed discussion of each of these concepts follows.
18 WHEN TO CREATE A SHORTCUT TRUST Chapter 2: ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTSWHEN TO CREATE A SHORTCUT TRUSTExplain the circumstances in which you would create a shortcut trust. Explain that shortcut trusts are not required because they do not provide any access that is not already available through multiple transitive trusts. However, they do provide a way of optimizing authentication traffic and thus improve network responsiveness.
19 WHEN TO CREATE A REALM TRUST Chapter 2: ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTSWHEN TO CREATE A REALM TRUSTEstablished between any non-Windows Kerberos version 5 realm and a Windows Server 2003 domainCommonly used to grant Active Directory users the ability to access resources in a UNIX Kerberos version 5 realm, without requiring separate authenticationDiscuss the situations in which you would create a realm trust. Explain that in pure Windows Server environments, there should be no need to create realm trusts. They are used only to communicate with non-Windows Kerberos version 5 systems.
20 WHEN TO CREATE AN EXTERNAL TRUST Chapter 2: ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTSWHEN TO CREATE AN EXTERNAL TRUSTAn external trust is used to form a one-way or two-way nontransitive trust relationship with another domain outside of your forest.Foreign security principal objects are created in the internal domain to represent each security principal from the trusted external domain.Discuss the situations when you would create an external trust, such as when users need access to resources located in a Windows NT 4.0 domain. Discuss the use of foreign security principal objects, but explain that the administrator does not create these objects—Active Directory creates them automatically. Demonstrate how to turn on the Advanced Features view in Active Directory Users And Computers, although there will likely not be any foreign security principal objects in your directory unless you have created external trusts.
21 WHEN TO CREATE A FOREST TRUST Chapter 2: ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTSWHEN TO CREATE A FOREST TRUSTAllow objects from domains in one forest to be granted access to resources in another forestNormally implemented to accommodate mergers and acquisitions or in service provider and outsourcing scenariosCan be implemented in a one-way or two-way configurationDiscuss some instances in which a forest trust might be used. Explain to students that a forest trust is generally a major consideration, because in most cases the forests represent separate entities such as organizations, companies, or divisions. By creating a forest trust, you are making it possible for that many more users to access the resources in your forest, and vice versa. This can represent significant security risks.
22 ACCESSING RESOURCES ACROSS DOMAINS JOINED BY A FOREST TRUST Chapter 2: ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTSACCESSING RESOURCES ACROSS DOMAINS JOINED BY A FOREST TRUSTForest-wide authentication on a forest trust allows users from the trusted forest to have the same level of access to resources in the local forest as users who belong to the local forest.Selective authentication on a forest trust requires that you manually designate which users or groups in the trusted forest can authenticate for specific computers in the trusting forest.Explain that forest-wide authentication and selective authentication are essentially the same in a forest trust environment as with domain-wide vs. selective authentication. In each case, it defines whether access can be granted to any object in the trusted forest or only to certain objects.
23 SELECTIVE VS. DOMAIN-WIDE AUTHENTICATION Chapter 2: ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTSSELECTIVE VS. DOMAIN-WIDE AUTHENTICATIONSelective authentication allows you to specify which users from the trusted domain can be granted access to resources in the trusting domain.Domain-wide authentication provides all users from the trusted domain the capability to be granted access to resources in the trusting domain.Discuss the difference between selective and domain-wide authentication. Explain that domain-wide authentication is the default mode and that you would only implement selective authentication if you wanted to more closely control access across the trust. Make sure students understand, once again, that the discussion relates to which objects can be assigned permissions, not the actual assignment of permissions to those objects.
24 ADMINISTERING TRUST RELATIONSHIPS Chapter 2: ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTSADMINISTERING TRUST RELATIONSHIPSDemonstrate the use of Active Directory Domains And Trusts to verify and remove shortcut, realm, external, and forest trusts. Direct students to the Notes in Chapter 2, “Advanced Microsoft Active Directory Concepts,” titled “Deleting Automatically Created Trusts” and “Deleting External Trusts,” both of which provide useful information on the deletion of trusts.
25 ADDING OR REMOVING UPNS Chapter 2: ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTSADDING OR REMOVING UPNSThe UPN suffix is the part of a UPN to the right of character; for example,Use alternative UPN suffixes to increase security and simplify the user logon process.UPNs are of most use in large trees where users log on from domains other than their own.Students should be familiar with the principles of a UPN, but a recap of the purpose of a UPN might be in order. Using a whiteboard, draw a diagram of a tree with multiple domains to reinforce the purpose behind creating multiple UPN suffixes. Although students can often see the benefits of using UPN suffixes in simplifying the user logon process, they often do not understand why it also simplifies security. Assigning resources by using a UPN makes it easier to ensure that you are granting permissions to the appropriate user account. Make sure students understand that the UPN must be unique within the forest. Also make sure that they understand why this is the case.
26 MANAGING SCHEMA MODIFICATIONS Chapter 2: ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTSMANAGING SCHEMA MODIFICATIONSBefore making schema modifications, you must understand:The purpose and function of the Active Directory schemaThe requirements for planning schema changesHow to use the Active Directory schema snap-inThis slide lists the points that students must understand before they embark on the process of schema modifications. Detailed discussion of each of these topics follows. Use this opportunity to explain that making schema modifications is a potentially complex and risky process. An incorrect change could render the schema, and thus Active Directory, unusable. For that reason, make sure students understand that manual schema modifications should be avoided wherever possible.
27 THE ACTIVE DIRECTORY SCHEMA Chapter 2: ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTSTHE ACTIVE DIRECTORY SCHEMADatabase template that defines which objects and attributes can be stored in Active Directory.Objects are elements such as users, groups, printers, and computers.Attributes are properties of those objects such as name, phone number, and location.Demonstrate objects and attributes by identifying a user account in the directory and then viewing the properties of the user account. Explain that by using an extensible schema, you can add objects and attributes to the directory. Detailed discussion of the extension or modification of the schema follows.
28 PLANNING SCHEMA CHANGES Chapter 2: ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTSPLANNING SCHEMA CHANGESExtending the schema to include new object classes or attributesModifying existing classes or attributesDeactivating and reactivating existing classes or attributesThe slide details the different areas that are associated with planning schema changes. Detailed discussion of these points follows.
29 Chapter 2: ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTS EXTENDING THE SCHEMA“Extending” refers to the addition of object classes or attributes to the base Active Directory schema.Extensions can be performed manually or can be performed by an Active Directory–aware application during installation.Once extended, schema extensions cannot be removed.Discuss schema extensions, but explain that best practice dictates that manual schema changes (that is, schema changes using the Active Directory Schema snap-in) should be avoided when possible. Explain that ideally schema extension and modification should be left to applications such as Microsoft Exchange Server that modify the schema automatically during installation.
30 MODIFYING EXISTING CLASSES OR ATTRIBUTES Chapter 2: ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTSMODIFYING EXISTING CLASSES OR ATTRIBUTESExisting object classes can be modified by changing the associated description or security permissions.Additional existing attributes can be associated with an object class.Existing schema attributes can be modified.Discuss the modification of existing classes or attributes in general terms, but stress to students that any such modification to the schema should be thoroughly planned and thought through.
31 DEACTIVATING AND REACTIVATING OBJECT CLASSES OR ATTRIBUTES Chapter 2: ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTSDEACTIVATING AND REACTIVATING OBJECT CLASSES OR ATTRIBUTESWindows Server 2003 Active Directory schema does not allow you to delete object classes or attributes.Object classes and attributes that are no longer required can be deactivated.If certain conditions are met, deactivated object classes and attributes can be reactivated.Discuss the deactivation and reactivation of object classes or attributes. Ask students if they can think of instances when they might want to deactivate a class or attribute. In live environments, deactivation of classes or attributes is relatively uncommon. One instance, though, when such an action might become necessary is if an Active Directory–integrated application is installed and then subsequently not needed. You can then deactivate object classes or attributes associated with the application.
32 ACTIVE DIRECTORY SCHEMA SNAP-IN Chapter 2: ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTSACTIVE DIRECTORY SCHEMA SNAP-INDemonstrate the process of registering the dynamic-link library (DLL) file for the Active Directory Schema snap-in and adding the snap-in to a Microsoft Management Console (MMC). Make sure students understand the need to use the Active Directory Schema snap-in with caution. Best practice dictates that a complete backup of Active Directory be made before any schema modifications are made and that ideally any schema modifications should be performed during periods of low network usage.
33 TRANSFERRING THE SCHEMA MASTER ROLE Chapter 2: ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTSTRANSFERRING THE SCHEMA MASTER ROLEBefore discussing the process of transferring the Schema Master role, discuss why you would want to perform this procedure. The most common reason is that you are taking the server currently acting as the Schema Master offline permanently, or you must move the role to another server for network planning reasons.
34 Chapter 2: ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTS SUMMARYAn application directory partition is a directory partition that is replicated only to specific domain controllers throughout a forest.The KCC automatically generates and maintains the replication topology for all application directory partitions in the enterprise.A trust relationship is a logical link between two domains that allows users and other security objects in one domain to gain access to resources in another.Trusts can be automatically or manually created, and can be transitive or nontransitive.Summarize the information presented in this chapter. The chapter summary is continued on the next slide.
35 Chapter 2: ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTS SUMMARY (CONTINUED)Windows Server 2003 Active Directory allows you to create additional UPN suffixes that can be used to simplify logon for users.The schema is the storage location for the definitions of all objects and their attributes that can be created in Active Directory.One domain controller in an Active Directory forest holds the Schema Master role, but the schema partition is replicated to all domain controllers in a forest.The Active Directory schema can be extended to include new object classes and attributes.Continue to summarize the information presented in this chapter. When you have completed your summary, direct students to the review questions, and case scenarios at the end of the chapter.