Part 4: Planning the Active Directory and Security

2555 days ago, 830 views
PowerPoint PPT Presentation
Learning Objectives. Clarify the substance of the Active DirectoryPlan how to set up Active Directory components, for example, authoritative units, spaces, trees, woods, and sitesPlan which Windows 2000 security elements to use in an association, including intelligent logon, object security, and administrations security .

Presentation Transcript

Slide 1

´╗┐Section 4: Planning the Active Directory and Security

Slide 2

Learning Objectives Explain the substance of the Active Directory Plan how to set up Active Directory components, for example, authoritative units, areas, trees, timberlands, and locales Plan which Windows 2000 security elements to use in an association, including intelligent logon, protest security, and administrations security

Slide 3

Learning Objectives (proceeded with) Plan how to utilize bunches, aggregate arrangements, and security formats Plan IP safety efforts

Slide 4

Windows NT Domain Structure Security Accounts Manager (SAM) database holds information on client records, gatherings, and security benefits One essential space controller (PDC) has ace duplicate of the SAM at least one reinforcement area controllers (BDCs) have reinforcement duplicates of the SAM

Slide 5

Using a PDC, BDCs, and the SAM database Figure 4-1 Windows NT SAM engineering

Slide 6

Windows 2000 Active Directory Domain objects including client accounts, PCs, servers, printers, bunches, security approaches, spaces, and different articles make the Active Directory

Slide 7

Active Directory Objects Figure 4-2 Domain questions in the Active Directory

Slide 8

Multimaster Replication Multimaster replication: In Windows 2000 there can be numerous servers, called space controllers (DCs), that store the Active Directory and imitate it to each other. Since every DC goes about as an ace, replication does not stop when one is down. Every DC is an ace in its own privilege.

Slide 9

Multimaster Architecture Figure 4-3 Windows 2000 Active Directory engineering

Slide 10

Schema: Elements utilized as a part of the meaning of each question contained in the Active Directory, including the protest class and its traits

Slide 11

Example Schema Characteristics of the User Account Class Unique protest name Globally special identifier (GUID) related with each question name Required qualities Optional properties Syntax of how credits are characterized Pointers to parent substances

Slide 12

Example User Account Attributes Username User's full name Password

Slide 13

Schema Example Figure 4-4 Sample pattern data for client accounts

Slide 14

Default Object Classes Domain User account Group Shared drive Shared organizer Computer Printer

Slide 15

Object Naming Common name (CN): The most essential name of a question in the Active Directory, for example, the name of a printer Distinguished name (DN): A name in the Active Directory that contains every single various leveled segment of a protest, for example, that protest's authoritative unit and space, notwithstanding the question's normal name

Slide 16

Object Naming (proceeded with) Relative recognized name (RDN): A question name in the Active Directory that has at least two related segments, for example, the RDN of a client account name that comprises of User (a holder for records) and the first and last name of the real client

Slide 17

Namespace: A consistent zone on a system that contains index benefits and named objects, and that can perform name determination

Slide 18

Types of Namespaces Contiguous namespace: A namespace in which each youngster question contains the name of its parent question Disjointed namespace: A namespace in which the tyke question name does not look like the name of its parent question

Slide 19

Active Directory Elements Domains Organizational units (OUs) Trees Forests Sites

Slide 20

Active Directory Architecture Figure 4-5 Active Directory progressive compartments

Slide 21

Functions of a Domain Provide a security limit for items in a typical relationship Establish an arrangement of information to be imitated among DCs Expedite administration of an arrangement of articles

Slide 22

Using a Single area Figure 4-6 Single space

Slide 23

Using Multiple Domains Figure 4-7 Using different areas

Slide 24

Domain Creation Dos and Don'ts

Slide 25

Domain Creation Dos and Don'ts (proceeded)

Slide 26

Functions of an OU Group related articles, for example, client records and printers, for less demanding administration Reflect the structure of an association Group articles to be regulated utilizing a similar gathering strategies

Slide 27

Using OUs to Reflect Organizational Structure Figure 4-8 OUs used to mirror the divisional structure of an organization

Slide 28

Design Tips for Using OUs Limit OUs to 10 levels or less OUs utilize less CPU assets when they are set up on a level plane rather than vertically Each ask for through an OU level requires CPU time in an inquiry

Slide 29

OU Creation Dos and Don'ts

Slide 30

OU Creation Dos and Don'ts (proceeded)

Slide 31

Characteristics of a Tree Member areas are in a bordering namespace Member areas can form a chain of command Member spaces utilize a similar composition for regular articles Member spaces utilize the same worldwide inventory

Slide 32

Global Catalog Global list: An excellent vault for all items and the most as often as possible utilized properties for each question in all spaces. Each tree has one worldwide list.

Slide 33

Global Catalog Functions Authenticating clients Providing query and access to assets in all spaces Providing replication of key Active Directory components Keeping a duplicate of the most traits for all items

Slide 34

Hierarchical Domains in a Tree Figure 4-9 Tree with various leveled areas

Slide 35

Kerberos Transitive Trust Kerberos Transitive Trust Relationship: An arrangement of two-path trusts between at least two spaces in which Kerberos security is utilized.

Slide 36

Trusted and Trusting Domains Trusted area: A space that has been conceded security access to assets in another space Trusting area: An area that permits another area security access to its assets and articles, for example, servers

Slide 37

Tree Creation Dos and Don'ts

Slide 38

Tree Creation Dos and Don'ts (proceeded)

Slide 39

Planning Tip Make beyond any doubt each tree has no less than one DC that is likewise arranged as a worldwide inventory Locate worldwide list servers in a system outline engineering that empowers quick client verification (so validation does not need to be performed over a WAN connection, for instance)

Slide 40

Characteristics of a Forest Member trees utilize an incoherent namespace (however bordering namespaces inside trees) Member trees utilize a similar composition Member trees utilize the same worldwide list

Slide 41

Single Forest Single backwoods: An Active Directory demonstrate in which there is just a single woods with interconnected trees and areas that utilization a similar pattern and worldwide index

Slide 42

Single Forest Architecture Figure 4-10 A woodland

Slide 43

Separate Forest Separate timberland: An Active Directory show that connections at least two backwoods in an association, yet the woods can't have Kerberos transitive trusts or utilize a similar mapping

Slide 44

Separate Forest Architecture Figure 4-11 Separate woods display

Slide 45

Forest Creation Dos and Don'ts

Slide 46

Forest Creation Dos and Don'ts (proceeded)

Slide 47

Design Tip When you make a different timberland structure recollect that: Replication can't occur between backwoods The woodlands utilize diverse construction and worldwide lists The woodlands can't be effortlessly mixed into a solitary woodland later on

Slide 48

Site: An alternative in the Active Directory to interconnect IP subnets so it can decide the speediest course to interface customers for confirmation and to associate DCs for replication of the Active Directory. Site data likewise empowers the Active Directory to make excess courses for DC replication.

Slide 49

Characteristics of a Site Reflects at least one interconnected subnets (512 Kbps or quicker) Reflects an indistinguishable limits from the LAN Used for DC replication Enables customers to get to the nearest DC Composed of servers and setup objects

Slide 50

Site Links Site interface question: A protest made in the Active Directory to demonstrate at least one physical connections between two unique locales Site interface connect: An Active Directory protest (as a rule a switch) that joins singular site interface articles to make speedier courses when there are at least three site joins

Slide 51

Site Link Architecture Figure 4-12 Site connect

Slide 52

Site Creation Dos and Don'ts

Slide 53

Site Creation Dos and Don'ts (proceeded)

Slide 54

Design Tip Define destinations in the Active Directory on systems that have various worldwide inventory servers that dwell in various subnets Use locales to upgrade arrange execution by enhancing confirmation and replication

Slide 55

Active Directory Guidelines Keep the Active Directory usage as basic as conceivable Implement minimal number of areas conceivable Implement just a single space on most little systems Use OUs to mirror the hierarchical structure (rather than utilizing areas for this reason)

Slide 56

Active Directory Guidelines (proceeded with) Create just the quantity of OUs that are essential Do not make OUs more than 10 levels profound Use areas for common security limits Implement trees and woodlands just as vital

Slide 57

Active Directory Guidelines (proceeded with) Use trees for areas that have a coterminous namespace Use backwoods for numerous trees that have incoherent namespaces between them Use locales in circumstances where there are different IP subnets and geographic areas to enhance execution

Slide 58

Basic Types of Active Directory Security Account or intelligent logon security Object security Services security

Slide 59

Interactive Logon Security DC watches that the client record is in the Active Directory DC checks the correct client account name and secret key

Slide 60

Object Security descriptor: An individual security property related with a Windows 2000 Server protest, for example, empowering the record MGardner (the security descriptor) to get to the organizer, Databases Access control list (ACL): A rundown