01 - En - CK - Introducing Active Directory Domain Services

8/6/2019 01 - En - CK - Introducing Active Directory Domain Services

1/40

www.supinfo.com

Copyright SUPINFO. All rights reserved

Introducing ActiveDirectory Domain Services
http://www.supinfo.com/http://www.supinfo.com/


2/40

Course objectives

Overview of Active Directory,Identity, and Access

Active Directory Componentsand Concepts

Install Active Directory DomainServices

By completing this course, you will:

Introducing Active Directory Domain Services


3/40

Overview of ActiveDirectory, Identity, and

Access



4/40

Preview

Information Protection in a Nutshell

Identity and Access

Authentication and Authorization

Authentication

Access Tokens

Security Descriptors, ACLs, and ACEs

Authorization

Stand-Alone (Workgroup) Authentication

Active Directory Domains: Trusted Identity Store

Active Directory, Identity, and Access

Active Directory and IDA services

Overview of Active Directory, Identity, and Access


5/40

Information Protection

Its all about connecting users to the information they

require securely IDA: Identity and Access

AAA: Authentication, Authorization, Accounting

CIA: Confidentiality, Integrity, Availability, and Authenticity

One focus :



6/40

Identity and Access


Identity: User account

Saved in an identity store(directory database)

Security principal

Represented uniquely bythe SID

Resource: Shared Folder

Secured with a securitydescriptor

DACL or ACL

ACEs or permissions


7/40

Authentication and Authorization


A user presents credentialsthat are authenticated byusing the information storedwith the usersidentity

The system creates a security token that

represents the user with the users SIDand all related group SIDs

A resources is secured withan ACL: permissions thatpair a SID with a level ofaccess

The users security tokenis compared with the ACLof the resource toauthorize a requestedlevel of access


8/40

Authentication


Credentials : At least two components required (ex :User name + password

Two factor authentication from :What I am (biometric)

What I know (password)

What I own (smart card)

Two types of authentication :

Local

Remote

Authentication is the process that verifies a users identity


9/40

Access Tokens


Users Access Token equal to :

User SID

Member Group SIDsPrivileges (user rights)

Other access information


10/40

Security Descriptors, ACLs and ACEs


Security Descriptor

SACL : owner, audit

DACL or ACL : NTFS permissionACE : Trustee (by SID) + Access Mask


11/40

Authorization


Authorization is the process that determines whether togrant or deny a user a requested level of access to aresource

System finds first ACE in the ACL that allows or denies the requestedaccess level for any SID in the users token


12/40

Demonstration

The trainer will create a new user, give permission to him on a

local folder then delete this account.

Whats happened in NTFS permission?



13/40

Stand-Alone (Workgroup) Authentication


The identity store is the SAM database on the Windows system

No shared identity store

Multiple user accounts

Management of passwords is challenging


14/40

Active Directory Domains


Centralized identity store trusted by all domain members

Centralized authentication service

Hosted by a server performing the role of an AD DS domain controller

O i f A i Di Id i d A


15/40

Active Directory, Identity, and Access


An IDA infrastructure should:

Store information about users, groups, computersand other identities

Authenticate an identityKerberos authentication used in Active

Directory provides single sign-on. Users areauthenticated only once.

Control access

Provide an audit trail

O i f A i Di Id i d A


16/40

Active Directory and IDA Services


Active Directory IDA services :

Active Directory Lightweight Directory Services(AD LDS)

Active Directory Certificate Services (AD CS)

Active Directory Rights Management Services(AD RMS)

Active Directory Federation Services (AD FS)

O i f A ti Di t Id tit d A


17/40

Stop-and-think part 1

Have you got any question ?



18/40

Active Directory

Components and Concepts


O i f A ti Di t Id tit d A


19/40

Preview

Active Directory as a Database

Demonstration: Active Directory Schema

Organizational Units

Policy-Based Management

Active Directory Data Store

Domain Controllers

Domain

Replication Sites

Forest

Tree


Global Catalog

Functional Levels

DNS and Application Partitions

Trust Relationships

Overview of Active Directory Identity and Access


20/40

Active Directory As a Database

Active Directory is a database Each record is an object

Users, groups, computers, and so on

Each field is an attribute

Logon name, SID, password, description, membership, and soon

Identities (security principals or accounts)

Services: Kerberos, DNS, and replication

Accessing the database

Windows tools, user interfaces, and components

APIs (.NET, VBScript, Windows PowerShell)

LDAP




21/40

Demonstration

The trainer will show you how the Schema acts as a blueprint

for Active Directory by exploring some Attributes and Objectclasses.




22/40


Containers Users

Computers


Containers that also support the management and configurationof objects by using Group Policy

Create OUs to:

Delegate administrative permissions

Apply Group Policy




23/40

Policy-Based Management

Active Directory provides a single point of managementfor security and configuration through policies

Group Policy

Domain password and lockout policy

Audit policy

Configuration

Applied to users or computers by scoping a GPO containingconfiguration settings

Fine-grained password and lockout policies




24/40

Active Directory Data Store

%systemroot%\NTDS\ntds.dit

Logical partitions

Domain naming context

Schema

Configuration

Global catalog (Partial Attribute Set)

DNS (application partitions)

SYSVOL

%systemroot%\SYSVOL

Logon scripts

Policies


Schema

Configuration

Domain

DNS

PAS



25/40

Domain Controllers

Servers that perform the AD DS role Host the Active Directory database (NTDS.DIT) and SYSVOL

Replicated between domain controllers

Kerberos KDC service: Performs authentication

Other Active Directory services

Best practices

Availability: At least two in a domain

Security: Server Core and RODCs




26/40

Domain

Made up of one or more DCs

All DCs replicate the Domain naming context (DomainNC)

The domain is the context within which Users, Groups,

Computers, and so on are created Replication boundary

Trusted identity source: Any DC can authenticate anylogon in the domain

The domain is the maximumscope (boundary) for certainadministrative policies

Password

Lockout




27/40

Replication

Multimaster replication Objects and attributes in the database

Contents of SYSVOL are replicated

Several components work to create an efficient and

robust replication topology and to replicate granularchanges to AD

The Configuration partition

of the database stores information

about sites, network topology,

and replication




28/40

Sites

An Active Directory object that represents a well-connected portion of your network

Associated with subnet objects representing IP subnets

Intrasite vs. intersite replication

Replication within a site occurs very quickly (1545 seconds)

Replication between sites can be managed

Service localization

Log on to a DC in your site




29/40

Forest

A collection of one or more Active Directory domain trees

First domain is the forest root domain

Single configuration and schemareplicated to allDCs in the forest

A security and replication boundary




30/40

Tree

One or more domains in a single instance of AD DS thatshare contiguous DNS namespace


supinfo.lan

nantes.supinfo.lan

supinfo-projects.lan



31/40

Global Catalog

Partial Attribute Set or Global Catalog

Contains every object in every domain in the forest

Contains only selected attributes

A type of index

Can be searched from any domain

Very important for many applications




32/40

Functional Levels

Domain functional levels

Forest functional levels

New functionality requires that domain controllers are running aparticular version of Windows

Windows 2000

Windows Server 2003

Windows Server 2008

Windows Server 2008 R2

Cannot raise functional level

while domain controllers are runningprevious Windows versions

Cannot add domain controllersrunning previous Windows versionsafter raising functional level




33/40

DNS and Application Partitions

Active Directory and DNS areclosely integrated

One-to-one relationship betweenthe DNS domain name and thelogical domain unit of ActiveDirectory

Complete reliance on DNS tolocate computers and servicesin the domain

A domain controller acting as aDNS server can store the zonedata in Active Directory itselfinan application partition


Schema

Configuration

Domain

DNS

PAS



34/40

Trust Relationships

Extends concept of trusted identity store to anotherdomain

Trusting domain (with the resource) trusts the identitystore and authentication services of the trusted domain

A trusted user can authenticate to, and be given accessto resources in, the trusting domain

Within a forest, each domain trusts all other domains

Trust relationships can be established with external

domains

O e e o ct e ecto y, de t ty, a d ccess



35/40

Stop-and-think part 2

Have you got any question ?

y, y,



36/40

Exercice 1 & 2

Now, its your turn to play !

y, y,



37/40

Lab quizz

What can you do with the Initial Configuration Tasks

console? What must you do before starting dcpromo wizard? Which tool is used to raise the domain functional level?

y, y,

External references


38/40

Review this with VTC videos :

Active Directory Overview

http://www.vtc.com/products/microsoft_windows_server_2008-tutorials.htm

Improved with VTC videos

External references
http://www.vtc.com/products/microsoft_windows_server_2008-tutorials.htmhttp://www.vtc.com/products/microsoft_windows_server_2008-tutorials.htmhttp://www.vtc.com/products/microsoft_windows_server_2008-tutorials.htmhttp://www.vtc.com/products/microsoft_windows_server_2008-tutorials.htmhttp://www.vtc.com/products/microsoft_windows_server_2008-tutorials.htmhttp://www.vtc.com/products/microsoft_windows_server_2008-tutorials.htm


39/40

Review this with Microsoft Press book:

Chapitre 1

Improved with Microsoft Press book

http://library.supinfo.com/BookDetails.aspx?type=cyberlibris&docId=45006345


40/40

On The Road Again

01 - En - CK - Introducing Active Directory Domain Services

Documents

Transcript of 01 - En - CK - Introducing Active Directory Domain Services