4.Designing Domain
description
Transcript of 4.Designing Domain
Security business requirement Security technical requirement Design forest Design domain Design OU
SingleMultiple Domain
Forest
Once you decide to create single or multiple forest , next step is to determine how many domain you want in your organization
When simplicity in a forest is your goal than single domain is the best decision for an active directory design
Choosing single domain will have following effect in your active directory
It reduce management of forest , if forest have single domain , than domain admin is also a forest admin
It reduce number of require DCs , by deploying single domain you are reducing cost of hardware
It reduce the dependency on a global catalog server for authentication.
When authenticating in a native mode domain, the authenticating DC connects to a global catalog server to determine universal group membership for the authenticating security principal.
This is not required in a single domain environment because the authenticating DC knows about all objects in the forest.
It provides easier migration path to multiple domain Single domain – multiple easy Multiple – Single domain difficult
Because of several technical reasons you have to some time deploy multiple domains
Key reason is a requirement for differing account policies
Account policies can apply at domain level There is no way to implement varying
account policies in single domain
Password policy : define characteristics of password that may be used for authentication
Account lockout Policy : specify which action to be taken after number of failed logon attempt
Kerberos Policy : defines maximum ticket lifetime for authentication
Account policies must be defined carefully Don’t make too much restrictive otherwise
it can lead to increase help desk calls from users whose accounts have been locked out.
Restrictive password policies actually reduce network security in some case
Different area of organization can’t agree on same password policy , so different domain have different password policy
Password policies are ….
Enforce password history : prevent users to reusing same password, policy can have value between 0 and 24 passwords being remembered.
Maximum password age : defines how frequently password must change , policy can have value from 0(password will never expire) to 999 days
Minimum password age : defines how long newly password must exist before user change it
Minimum password Length Password Must Meet Complexity
Requirements : controls format of password entered by user ◦ UPPER CASE◦ lower case◦ 1234567890(numeric)◦ !@#$%^&* (symbols)◦ Password can’t contain users account name
Stores password using reversible encryption for all users in the domain :
The password is saved in this format after the user has changed the password for the first time after this policy is set.
Reversible encryption is used by IIS when configured to use digest authentication by dial-in user using CHAP
Account lockout duration : Values can be 0 to 99,999 minutes. If defines as 0 than admin has to manually unlock account
Account lockout threshold : defines how many incorrect logon attempt are allowed , values are 0 to 999 logon attempts.
Reset account lockout counter after : defines how frequently account example, if lockout counter is reset to zero. For this policy is defined as 30 minutes, the account lockout counter will be reset to a value of zero after a period of 30 minutes has passed since the last failed logon attempt.
The Kerberos policy defines settings for the Kerberos v5 authentication protocol.
These settings apply to all computers and users in the domain where the policy is defined. The Kerberos policy settings available in account policy include…
Enforce user logon restriction : it prevents a lockout account from acquiring any additional service ticket after account is locked Maximum lifetime of service tickets : how long service ticket can be stores in service ticket cache , after time out account will renew service ticket Maximum life time for user ticket : after exciding this value ticket will be discarded from cache maximum life time for user ticket renewal : once this period expires user have to get it from KDS Maximum tolerance for computer clock
synchronization- Defines how much a client computer’s clock can be out of sync with a server’s computer clock. If the clocks are out of sync by a period greater than this policy setting, the authentication will fail.
Differing account policies Replication issues : branch office is
connected to Main office via WAN link than ..
International Considerations : some countries require management to take place within a country where network is located
Political reasons