AD DS Identity and Access IDA An IDA infrastructure should Store information about users groups computers and other identities An identity is representation of an entity that will perform actions on a server ID: 672669
Download Presentation The PPT/PDF document "Active Directory Domain Services" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Active Directory Domain Services(AD DS)Slide2
Identity and Access (IDA)
An IDA infrastructure should:
Store information about users, groups, computers and other identities.
An identity is representation of an entity that will perform actions on a server.
A component of the IDA is the identity store that contains properties that uniquely identify the object such as:
User name
Security identifier (SID)
password
The Active Directory (AD) data store is an identity store.
The directory itself is hosted on and managed by a domain controller – a server performing the Activity Directory Domain Services (AD DS) role.Slide3
IDA responsibilities
Authentication
AD uses Kerberos Authentication
Access Control
Maintains an Access Control List (ACL)
Reflects a security policy composed of permissions that specify access levels for particular identities.
Audit Trail
Allows monitoring of changes and activities within the IDA infrastructureSlide4
IDA Technologiessupported by AD
Identity
Applications
Trust
Integrity
PartnershipSlide5
Identity
Active Directory Domain Services (AC DC)
A central repository for identity management.
Provides authentication and authorization services through Group Policy.
Provides information management and sharing services enabling users to find any component by searching the directory.Slide6
Applications
Application Directory Lightweight Directory Services (AD LDS)
Essentially a standalone version of AD
Stores and replicates only application related information.
Commonly used by applications that require a directory store but do not require information to be replicated as widely as to all domain controllers.
Allows you to deploy a custom schema to support an application without modifying the AD DS schema.
Formally know as Active Directory Application Mode (ADAM)Slide7
Trust
Active Directory Certificate Services (AD CS)
Used to set up a certificate authority for issuing digital certificates as part of a public key infrastructure (PKI) that binds the identity of a person, device, or service to a corresponding private key.
If you use AD CS to provide these services to external communities then AD CS should be linked with an external renowned CA.Slide8
Integrity
Active Directory Rights Management Services (AD RMS)
An information-protection technology that enable you to implement persistent usage policy templates that define allowed and unauthorized used
e
.g. you could configure a template that allows users to read a document but not to print or copy its contents.Slide9
Partnership
Active Directory Federation Services (AD FS)
Enables an organization to extend IDA across multiple platforms including both Windows and non-Windows environments.
Projects identity and access rights across security boundaries to trusted partners.
Supports single sign-on (SSO)Slide10
Beyond IDA
AD delivers more than IDA solutions
AD provides the mechanisms to support, manage, and configure resources in a distributed network environment.
Schema
Policy-based administration
Replication servicesSlide11
Schema
A set of rules that defines the classes of objects and attributes that can be contained in the directory.
e
.g. the fact that AD has user objects that include a user name and password is because the schema defines the user object class that, the two attributes, and the association between the object class and attributes.Slide12
Policy-based administration
Provides a single point at which to configure settings that are then deployed to multiple systems.
Such policies include;
Group policy
Audit policies
Fine-grained password policiesSlide13
Replication Services
Distribute directory data across a network
This includes both the data store itself as well as data required to implement policies and configuration, including logon scripts.Slide14
Global Catalog
Enables you to query AD and locate objects in the data store.
Contains information about every object in the directory.
Can be used by programmatic interfaces such as Active Directory Services Interface (ADSI) and Lightweight Directory Access Protocol (LDAP).Slide15
Components of an AD Infrastructure
Activity Directory data store
Domain controller
Domain
Forest
Tree
Functional level
Organizational unit (OU)
SitesSlide16
Active Directory Data Store
AD DS stores its identities in the directory – a data store on domain controllers
The directory is a single file named
Ntds.dit
that is located in the %
SystemRoot
%\
Ntds
folder on a domain controller
The database is divided into several partitions, including the schema, configuration, global catalog, and the domain naming context.Slide17
Domain Controller (DC)
The DCs are servers that perform the AD DC role.
The DCs also run the Kerberos Key Distribution Center (KDC) service.Slide18
Domain
Requires one or more DCs
DCs replicate the domain’s partition of the data store so that any DC can authenticate any identity in the domain.
Is a scope of administrative policies such as password complexity and account lockout policies.Slide19
Forest
A collection of one or more AD domains.
The first domain installed in a forest is called the
forest root domain
.
A forest contains a single definition of network configuration and a single instance of the directory schema.
A forest is a single instance of the directory – no data is replicated by AD outside the boundaries of the forest.
A forest defies a security boundary.Slide20
Tree
The DNS namespace of domains in a forest creates trees within the forest.
If a domain is a subdomain of another domain, the two domains are considered a tree.
The domains must constitute a contiguous portion of the DNS namespace.
Trees are the result of the DNS names chosen for the domains in a forest.Slide21
Functional Level
The functionality available in an AD domain or forest depends on its
functional level
.
The three domain functional levels are:
Windows 2000 native
Windows Server 2003
Windows Server 2008
The functional level determines the versions of Windows permitted on domain controllers.Slide22
Organization Units (OU)
OUs provide a container for objects, and
provide a scope with which to manage objects.
OUs can have Group Policy Objects (GPOs) linked to them.
GPOs can contain configuration settings that will then be applied automatically by users or computers in an OU.Slide23
Sites
An AD site is an object that represents a portion of the enterprise within which network connectivity is good.
A site creates a boundary of replication and service usage.
DCs within a site replicate changes within seconds.
Changes are replicated between sites on a controlled basis with the assumption that
intersite
connections are slow, expensive, or unreliable compared to the connections within a site.
Clients will prefer to use distributed services provided by servers in their site or in the closest site.