Documente Academic
Documente Profesional
Documente Cultură
Scenario 1
You create a company, Microsoft
Employ 60 people
Everybody is provided a workstation to work
They get divided into 3 teams, of 20 ppl each
Everybody comes to office > works on their computers and stores data
on their assigned computers.
Since 20 people work in a team to develop a software, they need to
collaborate, share/review each others work.
Without AD
Users use a local user account on their computer to login and work on it. They
are the only ones knowing the password for this local account.
Nobody else can login to his computer when the workstation owner is OOF
nor can they get access to his work?
if all member in the 20 person team need to have access to every members
computer i.e. login or access resources stored locally or shared on the
computers -> we need to create 20 user account with separate passwords on
all 20 computers, which makes it 400 users account to create and maintain
per team of 20, i.e 20 user account per person and now he had to remember
20 different passwords.
if you keep the same user account on all with same password, its like letting
all door open, no security, no auditing etc.
All team members can store their work and resources in a common location,
possibly a fileserver.
- If you have to keep all data and resources on a central server, local
accounts have to be created and maintained on fileserver for all users.
If a user is allowed to use any machine in the company, he may want that his
user configuration and data in his profile roams with him. With local users its
not possible.
The company may needs server security policies applied on all computers
and for all users who use them. Since we are dealing with local user accounts
and workgroup computers, we would have to apply security policy and other
configuration individually on all computers.
out of the 20 member in team, 1 leaves the company and joins Google. After
the user has left, if the local accounts created for that user has not been
deleted from all computers, he may still be able to hack-in and access
resources.
**Active Directory**
Microsoft implements AD :
Security setting and configuration can be deployed to the user and computers
Software can be deployed to the user/computers
Users can be restricted to use selected software.
Features on application and OS can be turned on/off.
AD provides a central store where users and computer details are stored - you
can take backup of the database. Disaster recovery is easy.
Stand-alone (Workgroup)
Authentication
The identity store is the security accounts
manager (SAM) database on the Windows system
No shared identity store
Multiple user accounts
Management of passwords is challenging
treyresearch.net
proseware.com
Child domain
antarctica.treyresearch.net
Designing AD Infrastructure
Scenario 2:
company name: Tatamotors.com
line of business: automobile manufacturer
factory in 1 place, head office in the other, retails outlets in 5 places.
1000 employees
- 600 in factory Gujrat
- 150 in head office Bangalore
- 50 in each retail outlet - 1 in GJ, 1 in Bangalore, 1 in Hubli and 2
Maharastra
Solution: Stage 1
Lets start with datacentre in the same physical location as the factory.
We start by building FOREST named Tatamotors.com
Root Domain Tatamotors.com
For a domain to be created we should have atleast 1 DC - we promote it.
Created 1000 users and add computer accounts for all users.
LAB1:
Create a forest, domain by promoting the 1st DC in the forest.
Create 2 user accounts under one OU
Create 2 security groups
Add 1 users to the 1 groups, do it for both users.
Problem statement
All 1000 users querying and authenticating against one servers, adds to
much load on the server.
slower response
NO response because the server may have become unresponsive.
Solution: Stage 2
1000 users and 1000 computers may be too much load for 1 DC, so you
decide to add 1 more DCs to support user authentication, ldap queries etc.
High availability of Active Directory services. 2nd DC available if one of the DC
is down.
New DCs should have the same data as the 1st one, hence AD replication
was born.
Now any DC can authenticate users, service ldap or lsa request. This makes
the DCs in a domain to share load, NLB NOT reqd. to do load balancing.
LAB2
Promote 2nd DC in same domain
Create user in DC 1 and see how it replicates to 2nd DC
Change a user attribute on DC 2, and see how that change gets replicated to
DC 1
Disconnect one DC, and check if we are still able to authenticate.
Domain Controllers
Servers that perform the AD DS role
Host the Active Directory database (NTDS.DIT)
and SYSVOL
Replicated between domain controllers
Kerberos Key Distribution Center (KDC) service:
authentication
Other Active Directory services
Best practices
Available: at least two in a domain
Secure: Server Core, Read-only domain
controllers (RODCs)
SYSVOL
%systemroot%\SYSVOL
Logon scripts
Policies
NTDS.DIT
Schema
Schema
Configuration
Configuration
*Domain*
*Domain*
DNS
DNS
PAS
PAS
Replication
Multimaster replication
Objects and attributes in the database
Contents of SYSVOL are replicated
Functional Level
Domain functional levels
Forest functional levels
New functionality requires that domain controllers are
running a particular version of Windows
Windows 2000
Windows Server 2003
Windows Server 2008
Group Type
Distribution groups
Used only with e-mail applications
Not security-enabled (no SID);
cannot be given permissions
Security groups
Security principal with a SID;
can be given permissions
Can also be e-mail enabled
Group Scope
Four group scopes
Local
Global
Domain Local
Universal
Problem Statement
All DCs are in datacentre in Gujarat.
users in the same physical site factory - see faster user authentication, group
policy application, file server access.
users in offices in Karnataka and Maharashtra see slow responses from DCs,
this is purely because of network latency. The head office and retails outlets
are connected to the datacentre using slow link.
All account management request needs to be sent to the head office like
user creation, password reset, unlocking the account, configuring security
policy for computer in one office etc.
Scenario 3
A business may start with just automobiles business.
2 wheeler business
4 wheeler business
Domain structure:
Contoso.com (root domain)
Bikes.contoso.com - child domain - contains all users,
workstation and server accounts that are a part of 2 wheelers
auto business division under this company.
Cars.contoso.com - child domain - contains all users,
workstation and server accounts that are a part of the 4 wheelers
auto business division under this company.
Company decides to start a new Steel business, they may want to give it
a different brand name and not use the same contoso.com namespace.
- New Domain Tree in the same forest: Contososteel.net
All the above domains since are in the same forest have a 2-way
transitive trust with each other.
Then the Contoso groups decided to acquire a new finance company Finserve.com
Since this business is not closely related to the automobiles business, they
may decide to keep its IT infra separate. This may also happen that the
finance company already had a successfully running business and we do not
want to loose their Goodwill.
We keep the forest structure on the finance company as it, but just created a
TRUST between the finserve.com forest and contoso.com forest. This trust
helps us to access resources across each other.
Trust Relationships
Trusted domain
Trusting domain
Schema
Schema
Configuration
Configuration
Domain
Domain AA
Schema
Schema
Configuration
Configuration
Schema
Schema
Domain
Domain A
A
Configuration
Configuration
Domain
Domain B
B
Domain
Domain B
B
Global
Global Catalog
Catalog
Server
Server
Schema
Schema
Configuration
Configuration
Domain
Domain B
B
Domain-wide
RID: provides pools of RIDs to DCs, which use them for SIDs
Infrastructure: tracks changes to objects in other domains that
are members of groups in this domain
PDC: plays several very important roles
LAB3
Authentication
Authentication
Authentication is
is the
the process
process that
that verifies
verifies a
a users
users identity
identity
Authentication and
Authorization
The
A
The system
system creates
creates a
a
A user
user presents
presents credentials
credentials
that
that are
are authenticated
authenticated
using
using the
the information
information
stored
stored with
with
the
the users
users
identity
identity
security
security token
token that
that
represents
represents the
the user
user with
with the
the
users
users SID
SID and
and all
all related
related
group
group SIDs
SIDs
A
A resource
resource is
is secured
secured with
with
an
an access
access control
control list
list (ACL):
(ACL):
permissions
permissions that
that pair
pair a
a SID
SID
with
with a
a level
level of
of access
access
The
The users
users security
security token
token is
is
compared
compared with
with the
the ACL
ACL of
of
the
the resource
resource to
to authorize
authorize aa
requested
requested level
level of
of access
access
Access Tokens
Users
Users Access
Access Token
Token
User SID
Member Group
SIDs
Privileges
(user rights)
Other access
information
Security
Security Descriptor
System ACL
(SACL)
Discretionary ACL
(DACL or ACL)
ACE
Trustee (SID)
Access Mask
ACE
Trustee (SID)
Access Mask
Identity
Access Management
Resource
Identity
Group
Access Management
Resource
NTLM
1. (Interactive authentication only) A user accesses a client computer and provides
a domain name, user name, and password. The client computes a cryptographic
hash of the password and discards the actual password.
2. The client sends the user name to the server (in plaintext).
3. The server generates a 16-byte random number, called a challenge or nonce,
and sends it to the client.
4. The client encrypts this challenge with the hash of the user's password and
returns the result to the server. This is called the response.
5. The server sends the following three items to the domain controller:
User name
Challenge sent to the client
Response received from the client
6. The domain controller uses the user name to retrieve the hash of the user's
password from the Security Account Manager database. It uses this password
hash to encrypt the challenge.
7. The domain controller compares the encrypted challenge it computed (in step 6)
to the response computed by the client (in step 4). If they are identical,
authentication is successful.
Problem statement:
Company wants to have a common location for all the policy / design
documents etc.
They need to give all users read access to the data but the management
team also needs write access.
You also want to audit who is accessing the data and check if some manager
is deleting important content too.
Solution: Stage 3
Make one domain joined server as Fileserver
Share data on it and grant access as per requirements.
LAB2
Make one of the domain joined servers as fileserver.
Share a data folder
Give read access to one group and full control to the other groups
Deny to one user
Access share as all the 3 users and observe behaviour
Demo
Netmon trace showing kerberos authentication and authorization.
Group Policy
Infrastructure
Module Overview
Divided between
User Configuration ("user policies")
Computer Configuration
("computer policies")
Define a setting
Not configured (default)
Enabled
Disabled
GPO Scope
Scope. Definition of objects (users or computers) to
which GPO applies
GPO link. GPO can be linked to site, domain, or
organizational unit (OU) (SDOU)
GPO can be linked to multiple site(s) or OU(s)
GPO link(s) define maximum scope of GPO
WMI filtering
Refine scope of GPO within link based on WMI query
Preference targeting
User Configuration
Logon
Every 90-120 minutes
Triggered: GPUpdate command
Implement GPOs
Local GPOs
Domain-Based GPOs
Demonstration: Create, Link, and Edit
GPOs
GPO Storage
Demonstration: Policy Settings
Local GPOs
Apply before domain-based GPOs
Any setting specified by a domain-based GPO will
override the setting specified by the local GPOs.
Local GPO
One local GPO in Windows 2000, Windows XP,
Windows Server 2003
Multiple local GPOs in Windows Vista and later
Local GPO: Computer settings and settings for all users
Administrators GPO: Settings for users in
Administrators
Non-administrators GPO: Settings for users not in
Admins
Per-user GPO: Settings for a specific user
Domain-Based GPOs
Created in Active Directory, stored on
domain controllers
Two default GPOs
Default Domain Policy
Define account policies for the domain:
Password, account lockout, and Kerberos
policies
GPO2
GPO2
Sit
e
GPO3
GPO3
GPO4
GPO4
Doma
in
GPO5
GPO5
OU
OU
OU
OU
OU
AD Certificate Services
Certificates
Usage of certificates:
AD Federation Service
An enterprise claims provider for claims-based applications
Provide an SSO experience across multiple claims-aware applications.
Provide access to a claims-aware application to users in the same or
other organizations.
Across forest with no forest trust
Across identity stores via another 3rd party STS.
Reduce concern about developers of custom applications making
processor-intensive authentication requests that unexpectedly burden
an organizations directory services.
Reduces the need for duplicate accounts and other credential
management overhead by enabling federated SSO across organizations,
platforms, and applications.
Active Directory Federation Services (AD FS) Overview
http://
social.technet.microsoft.com/wiki/contents/articles/1011.active-directory-f
ederation-services-ad-fs-overview.aspx
ADFS Scenario: