Presentation is loading. Please wait.

Presentation is loading. Please wait.

September 18, 2002 Windows 2000 Server Active Directory By Jerry Haggard.

Published byPriscilla Gilbert Modified over 8 years ago

Similar presentations

Presentation on theme: "September 18, 2002 Windows 2000 Server Active Directory By Jerry Haggard."— Presentation transcript:

1 September 18, 2002 Windows 2000 Server Active Directory By Jerry Haggard

2 September 18, 2002 Objectives What is Active Directory How is it Used Security Features

3 September 18, 2002 –To create a single, enterprise wide view of every network element regardless of location. –Provide single point management of the entire network, together with the ability to delegate to individual administrators management of particular parts of the network. –Enable administrators and users to easily and quickly find a particular network element such as a file or printer, by specifying a set of properties for the element sought. The Roll of Active Directory

4 September 18, 2002 –Directory – Source of information about objects. –Objects – Abstractions of categories of network elements, such as files and users. –Containers – Establish Active Directory hierarchy. Hold groups of similar objects. –Organizational Units (OU) – Named containers of users and other objects. –Attributes – Properties of objects, such as name, address, etc. –Global Catalog (GC) – Hierarchical database containing entries in enterprise domains. Needed Definitions

5 September 18, 2002 –Ad uses DNS naming for its domains. –Ad is dependent on DNS to act as a locator service. –DNS servers for an AD must be compatible with AD or AD will not function. –Four areas to document for an AD and DNS namespace design: Forrest Plan, Domain and DNS strategy, Organizational Units (Ous), Site Topology. AD’s Integration with DNS

6 September 18, 2002 –Due to nature of forests most enterprises’ forest will be small. –Forest are collections of multiple domain trees within AD. –Trees within Forest not only have a trust relation, but also common configuration. –The structure within a forest is transparent to users. Forest Plan

7 September 18, 2002 –Domains are the top-level division within a forest. –Domains should be both a logical and a physical division. –There is significantly more traffic within a Domain than between Domains. –New Domains should only be added as traffic overwhelms the available bandwidth. –A Domain is an administrative division, offering a boundary for security policies. Domains

8 September 18, 2002 –All objects within a Domain are granted identical security policies: –Password Policy –Account Lockout Policy –Kerberos Ticket Policies –A user can only be authenticated within the local Domain. A user cannot be authenticated to another Domain even within the same forest Domains (cont)

9 September 18, 2002 –The first domain to be established in a forest is the Root Domain. –Two way to establish Root –As a standard Domain that contains user accounts and published resources –As an empty Domain that has no purpose other than to publish the schema and make it available to all other domains in the forest –The first option in a system with only one domain has an advantage –The second has the advantage in larger systems as it can not become obsolete Root Domain

10 September 18, 2002 –OUs are the container objects that sit within domains that are designed to be flexible –An administrator can create, delete, or reorganize them at any time –Two items will impact the OU design: Group Policy, Administration –In both the OU is the boundary –Different administrators can be granted access to different OU, without concern of conflicts of administrative control –OU hierarchy can reflect organizational charts or other tree structure Organization Units (OUs)

11 September 18, 2002 –Site topology is a representation of the physical network –Sites, as well as their AD names, should represent the physical network, and have a domain controller within each –A site should consist of networks that are connected by fast and reliable links (LANs or high-speed WANs) –Unlike domains, sites are easily added, moved, changed, or deleted. –Use of sites is one of the methods that make AD scalable as a network grows Site Topology

12 September 18, 2002 –Rights can only be assigned to security principles –Security principles consist of user accounts, computer accounts, and security groups –Security groups are either Domain Local groups or Global groups –OUs are not security principles. Rights cannot be assigned to an OU with users and groups inheriting those rights. –Global groups may be created within an OU, thus effectively giving the OU rights Understanding Security

13 September 18, 2002 –Security for AD is configured in many places, but domainwide policies are configured in the Domain Security Policy console –Several containers within DSP console –Account Policy - File System –Local Policy - Public Key Polices –Event Log - IP Security Policies –Restricted Groups - Registry –System Services Domain Security Console

14 September 18, 2002 –Password Policy 1.Enforce password History 2.Maximum password age 3.Minimum password age 4.Minimum password length 5.Degree of complexity requirement 6.Store password using reversible encryption 7.User must logon to change password Account Policies

15 September 18, 2002 –Account Lockout Policy –Account Lockout Duration –Account Lockout Threshold (How many login attempts) –Reset Account Lockout Counter (Number of minutes before the threshold is reset to 0) Account Policy

16 September 18, 2002 –Kerberos Policy 1.Enforce user logon restrictions 2.Maximum lifetime for service ticket 3.Maximum lifetime for user ticket 4.Maximum lifetime for user ticket renewal 5.Maximum tolerance for computer clock synchronization Account Policy

17 September 18, 2002 –Audit policy 1.Logins 2.Access to objects 3.Access to system events 4.Policy changes –Event log 1.Settings manage the system, application, and security logs 2.Manages access to logs Local Policies

18 September 18, 2002 –Registry settings can secure individual registry keys from being edited by a user –An administrator can add, edit, or delete registry keys and then secure them –File System policy can configure security for files and folders. This is a more granular control over files and folders than share-level security as in NT 4.0. This offers a single point of security administration for the local domain controller Registry and File System

19 September 18, 2002 –Public key policies let you add automatic certificate request and manage the certificate authority behavior. –IP Security policies will manage IP Security(IPSEC) if installed Public Key and IPSec Policies

20 September 18, 2002 –Active Directory is a directory service available on Windows 2000 servers –AD allows for easier management and access to network facilities –Security of the network is a very important part of AD –Security is much more finely grained in AD than was available in previous MS servers –Still as with all MS closed source applications there are vulnerabilities that can be exploited Questions? Conclusion

Download ppt "September 18, 2002 Windows 2000 Server Active Directory By Jerry Haggard."

Similar presentations

COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still.

COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still.
Chapter Five Users, Groups, Profiles, and Policies.

Chapter Five Users, Groups, Profiles, and Policies.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 7: Troubleshoot Security Settings and Local Security.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 7: Troubleshoot Security Settings and Local Security.
How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation.

How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation.
Active Directory: Final Solution to Enterprise System Integration

Active Directory: Final Solution to Enterprise System Integration
Chapter 6 Introducing Active Directory

Chapter 6 Introducing Active Directory
Chapter 8 Chapter 8: Managing Accounts and Client Connectivity.

Chapter 8 Chapter 8: Managing Accounts and Client Connectivity.
Chapter 4 Chapter 4: Planning the Active Directory and Security.

Chapter 4 Chapter 4: Planning the Active Directory and Security.
Introduction to Active Directory

Introduction to Active Directory
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
12.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

12.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.

11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.
Administering Active Directory

Administering Active Directory
By Rashid Khan Lesson 4-Preparing to Serve: Understanding Microsoft Networking.

By Rashid Khan Lesson 4-Preparing to Serve: Understanding Microsoft Networking.
Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.

Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
Chapter 4 Introduction to Active Directory and Account Management

Chapter 4 Introduction to Active Directory and Account Management
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
7.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

Similar presentations

Ads by Google