Lecture 5 & 6:Corporate ArchitectureNetwork Design & Administration

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Summary of Last Lecture

• Where possible ensure all user workstations are given the same OS build / release.

• Automate the process for speed, simplicity and repeatability.

• Check hardware compatibility if upgrading• If upgrading – Backup!• If installing dual boot and Linux – Backup!

2

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Overview

• Originally, Microsoft provided only standalone PC’s – networks were sold by large vendors with thin client terminals connected to servers.

• Windows for Workgroups allowed small numbers of PC users to work together sharing files and printers.

• NT 3 / 4 provided a Domain concept, whereby certain servers on the network provided centralised directory services.

• Active Directory took this further, by adding layers of hierarchy to cope with large corporate structures.

• Similarly, Linux machines could be used alone, then in loose connectivity, then using Directory Services.

3

Net

wor

k D

esig

n &

Adm

inist

ratio

n

What are Directory Services?[1]

• A database used to administer resources on a network.• Need to make the following basic assumptions:

• The objects in the database are relatively small.• The database will be widely replicated and cached.• The information is mainly attributes.• Access is mainly read, with occasional writes.• Searching is likely to be a frequent operation.

• IETF provided the Lightweight Directory Access Protocol (LDAP) as a way to access the database over a network but also specifies the data schema and search methods for a directory service. 4

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Accounts

Microsoft Domain vs. Workgroup

Domain

Windows Server 2008(Domain Controller)

Windows 7 Client

Windows 7 Client

Windows Server2008

(Member Server -Print Server )

Windows Server 2008(Domain Controller)

Replication

ActiveDirectory

ActiveDirectory

Workgroup

Windows Server 2008

Windows 7 Client

Windows 7 Client

Windows Server2008

(Print Server )

Windows Server 2008

Accounts Accounts

Accounts

Accounts5

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Microsoft Workgroup• A collection of computers interacting informally with no

centralised authority.• Each computer in the workgroup has its own set of local user

account.• User accounts stored locally in a flat-file database called the

Security Accounts Manager (SAM).• Password stored in hashed format.• Question: What’s a hash function?

• If a user needs to access another computer they must have a valid account there too.

• This can be made simpler by ensuring each user has the same account name and password on each machine – but this costs admin time.

• Question: are there any limitations with workgroups?

6

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Side bar: Hash Tables• Hash tables provide you with a way of storing mappings of one bit of data to another.

• Some key would provide a value (e.g. h(“Pa$$word”) à 76934856434)• For example, you could use a hash table to associate users names and with their

accounts / passwords.• The names would be unique and somehow provide you with the associated data.

• A hash table will need to provide:• A hash function• A bucket array/list (more on this in 3 slides)

Clark Kent

Lois Lane

Jimmy Olsen

Perry White

ACT#4534

ACT#5675

ACT#6789

ACT#7898?

1

2

3

4

5

6

7

8

9

10

11

127

e.g. h(user name) à user account

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Side bar: Hash Functions• Need to some way of converting a unique key to a value.

• h(n) à v• Easy way – use ASCII

• To calculate the hash value, we do:

• BUT! How do we access element 83,549,193 in our hash table?

87*314 + 104*313 + 105*312 + 116*311 + 101*310 = 83549193 h(“White”) = 83549193

8h(x1) = αh(x2) = α

Why use a large number?

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Side bar: Compression functionThere are two methods:

1. A simple “division method” using modulo arithmetic• Bucket array has a know size (e.g. 1000 places)• Position can be found by i % array length• h(“White”) = 83549193

• But, what happens when multiple hashes point to the same point in the hash table (i.e. collisions)?

• Either use a better compression function and / or implement a hash table using a bucket list/array (next slide).

2. More sophisticated method: MAD (multiply add and divide)• Would produce the position• Collisions can be handled by using:

• Linear probing• Quadratic probing

Investigate in your own time!9

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Side bar: Bucket Arrays• A bucket array is just an array of N size.• However, instead of each element storing one bit of information, the

element provides another array which can grow…

Jack Kent

Clark Kent

Lois Lane

Jimmy Olsen

Perry White

123456789

101112

ACT#4534

ACT#5675

ACT#6789

ACT#7898

ACT#4535

Lucy Lane

ACT#5676

10

Now back to workgroups….

h(f) Better to use a linked list structure to store collisions – will allow indefinite number rather than say n=9

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Microsoft Workgroup• A collection of computers interacting informally with no

centralised authority.• Each computer in the workgroup has its own set of local user

account.• User accounts stored locally in a flat-file database called the

Security Accounts Manager (SAM).• Password stored in hashed format.• Question: What’s a hash function?

• If a user needs to access another computer they must have a valid account there too.

• This can be made simpler by ensuring each user has the same account name and password on each machine – but this costs admin time.

• Question: are there any limitations with workgroups?

11

Note: Hashes values and hash functions are used extensively within the OS.

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Microsoft Domain

• For larger networks (> approx. 10 computers), it is simpler to use a centralised Directory Service that contains a list of the resources available on a network.

• The domain model is hierarchical, and Active Directory Domain Services holds the list that is trusted by all machines on the network.

• Active Directory Domain Services includes:• Database of computers, users, etc.• LDAP services to mediate queries and responses• Kerberos security service• File replication service to ensure redundancy of

domain information12

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Active Directory Data Store physical structure[2]

Interfaces – LDAP, REPL, MAPI, SAM

Directory Service Agent (DSA)

Database Layer

Ntdsa.dll

Extensible Storage Engine (ESE)

Esent.dll

13

LDAP: Lightweight directory access protocolREPL: Replication and domain controller management interfaceMAPI: Messaging APISAM: Security Accounts Manager

Allows access to DB via 4 interface methodsAccess / mod of objects via read / write opsSyntax checking (schema) Maintain schemaInterface between DAS -> DB fileProvides Low-level DB functionality (create, read, write, delete)

General purpose DB engineLow level functions: indexing, transferring & integrity checksTransaction based (i.e. ATOMIC)

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Active Directory Domain Services Logical Structure• This is comprised of the following:

• Partitions• Domains• Domain trees• Forests• Sites• Organisational Units

14

Net

wor

k D

esig

n &

Adm

inist

ratio

n

AD DS Partitions[2]

The AD data store is divided up into a number of logical partitions (also known as naming contexts):

• Domain directory• Configuration directory• Schema directory• Global catalogue (covered in a later lecture)• Application directory

15

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Domains[2]

Domains act as an administrative boundary within the organisation and define the following:

• Replication boundaries• Security policy boundaries• Resource access boundaries• Trust boundaries

16

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Domain Trees• Multiple domains with

contiguous DNS namespaces form a domain tree.

• Aardvark.com is the parent (root domain) in which child domains are created.

aardvark.com

us.aardvark.comeu.aardvark.com

17

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Forests

• Highest level of AD DS logical structure hierarchy.• Forest can contain one or more domain trees

and one or more domain namespaces.

aardvark.com

us.aardvark.comeu.aardvark.com

bison.com

nott.bison.comman.bison.com

Some kind of link!

18

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Other Forest issues -Trust Relationships – Transitive Two-way Trust• Trust allows the resources of one domain to be accessible from

another (can be parent-child or tree-root trusts).• By default, one-way trust (non-transitive trust) is enabled between

domains. • Need to explicitly set two-way for transitive trust.

aardvark.com

us.aardvark.comeu.aardvark.com

bison.com

nott.bison.comman.bison.com

19

Two-way trustone-way trust (bison trusts aardvark)

U1

Login

U1 Account

U2

LoginU2

Account

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Shortcut Trusts• Two-way transitive trust between

aardvark.com and bison.com• Example: a user in the

eu.aardvark.com domain wants to access a shared resource in the us.bison.com domain.

• User needs to be referred to each domain controller in trust path for authentication.

• To reduce latency times, introduce a short cut trust relationship.

• Short cut trust can be one-way or two-way but is not transitive (only the two domains trust each other, the rest don’t).

aardvark.com

bison.comeu.aardvark.com

us.bison.com

1 hop

2 hops

3 hops

Short cuttrust

(1 hop)

20

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Forest Trusts

• Forest trusts provide two way transitive trust between two connecting forest roots.

• This means that there is transitive trust between:• aardvark.com ßà bison.com• bison.com ßà giraffe.com• But no default forest trust between aardvark.com and giraffe.com

• Only allows authentication to occur between forests - replication does not happen.

aardvark.com

us.aardvark.comeu.aardvark.com

bison.com

nott.bison.comman.bison.com

trust

giraffe.com

us.giraffe.comeu.giraffe.com

trust

21

Net

wor

k D

esig

n &

Adm

inist

ratio

n

External Trusts

• Used to allow a domain external from the forest to access resources.

• Not the same as a forest trust as an external trust is only between two domains (i.e. non-transitive)

• Usually, one way.

aardvark.com

us.aardvark.comeu.aardvark.com

bison.com

nott.bison.comman.bison.com

trust

22

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Realm Trusts• Used to connect a Windows Server 2008 domain to a non-Windows

Kerberos realm.• Can be defined as one-way, two-way, transitive or non-transitive.

• In this example, us.aardvark.com can access tiger.com resources using one-way, non-transitive trust but tiger.com not able to access shared resources in us.aardvark.com

aardvark.com

us.aardvark.comeu.aardvark.com

trusttiger.com

23

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Sites• Logical structure of AD DS is independent to the physical

infrastructure of the network used within the organisation.• Need to consider when designing the organisational structure

where users and resources are going to be located.• A site can be thought of as an area (e.g. Clifton campus) which

has it's own network, comprised of one or more DC's and a number of clients.

• There are a number of reasons for using a site when managing network traffic:• Replication • Authentication• Site-aware network services

24

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Organisational Units

• Microsoft recommend organisations to have relatively few domains and manage the administration by use of OU’s.

• OU’s are containers within domains and can be layered.• OU’s can contain different types of AD DS objects:

• User• Group• Printers• Organisational units• Computers• Shared folders• Contacts• inetOrgPerson

25

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Organisational Units

• Objects are known by their distinguished names (DN) and have attributes – both informative and administrative (e.g. for permissions).

• The Schema sets out the rules to govern what objects can be used and how they are specified.

• The objects in containers (such as users or computers) that cannot contain other objects are called leaf objects.

• Rights & permissions are allocated to containers (and therefore the objects in them).

26

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Domains and Domain Controllers• When a server is promoted to become a Domain

Controller, it hosts a replica of the AD DS database.

• Typically, domains have 2+ DC’s for redundancy because the information is so critical to the workings of the network.

• DC’s copy information between themselves to ensure changes are propagated – this is done via multi-master replication so no need to start from a designated Primary DC. 27

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Integrating DNS & DHCP services• Microsoft encourage the integration of DNS services onto

DC’s[3].• This allows the DNS to make use of replication /

redundancy features provided under Active Directory.• Provides additional security for DNS by use of group

policies (see later).• Avoid need to manage DNS information separately.• When DC also does DHCP, DHCP inherits DC permissions

on DNS records, so advised to configure DHCP server with credentials of a dedicated user account[4].

28

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Domain Controller Issues• AD DS is so important that the domain controller functionality

was designed to allow for controlled restoration from working DC’s.

• A faulty DC can be brought into line with other up-to-date ones by following this sequence:

• Reboot DC under Directory Services Restore Mode (will need to use DSRM password supplied during original DC setting).

• Use backup to get (out of date) DS information.• Restart, indicating non-authoritative restoration to acquire changes

from other DC’s.• Authoritative restores are required when deleted objects need to

be forcibly restored from AD DS backup.

29

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Why is the architecture important?• Active directory involves sharing information

between domain controllers.• To let users/computers in one structure access

facilities in another involves different degrees of exposure depending on domain / tree / forest.

• In large structures with many users and computers, want to minimise replication of information in the global catalogue.

• (will look at the global catalogue in more detail in a later session when working with groups) 30

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Other DC roles: Operations Masters[2]

• Certain roles within AD DS hierarchy are not suited to the replication methods used for Domain Controllers.

• These are called FSMO (Flexible Single Master Operations) or Operation Masters role.

• Need to specify an authoritative server to handle certain directory operations to ensure that consistency is maintained.

• Type of FSMO/Operations Masters roles:• Schema master• Domain naming master• RID master• PDC emulator• Infrastructure master

• Roles must be carefully distributed to allow DC’s to take over after failure.

31

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Other DC roles: Read-Only Domain Controllers[2]

• Same as a “normal” domain controller within a domain. i.e. provides the same functionality (authentication , authorisation, DNS).

• But:-• Is limited • No credentials stored locally.• Authentication requires access to writeable DC to authenticate

requests.• Can not configure RODC with an FSMO role.

• Why use them?• Ideal when physical security of DC can not be guaranteed (e.g. in

an open office with no dedicated machine room)• When storing data on local storage will pose a security risk.

32

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Linux integration

• Microsoft Server 2008 includes Windows Security and Directory Services for Unix to allow Linux/Unix clients in a mixed environment to use AD DS Kerberos for authentication, and LDAP to retrieve authorisation information from either Unix or AD servers.

• Pure Linux can use OpenLDAP to control/share system files and attributes.• e.g. etc/passwd, etc/group, etc/hosts

• (Lab 3 will introduce adding Linux clients to an Active Directory domain)

33

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Summary• Domain services provides functionality to control the logical

structure of an organisation.• Domains are used within a geographical boundary (e.g. in a

single company).• Forests connect multiple domains together.• Forests provide a number of trust relationships for information

to flow between domains.• Organisational units provide structure and act as containers

for resources which can model the real-world company structure.

34

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Next Time & References• Naming and Namespaces• Objects in Active Directory – computers, users and groups.

[1] “Unix and Linux Systems administration handbook”, Nemeth, E. et al, 4th Edition, Chapter 19.3.[2] Windows Server 2008 Active Directory Resource Kit[3] http://technet.microsoft.com/en-us/library/cc771613.aspx[4] http://technet.microsoft.com/en-us/library/cc787034.aspx[5] http://www.exchangeinbox.com/article.aspx?i=30

35