Download
slide1 n.
Skip this Video
Loading SlideShow in 5 Seconds..
Agenda PowerPoint Presentation

Agenda

212 Views Download Presentation
Download Presentation

Agenda

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Windows 2000: Concepts & DeploymentLarry LiebermanNT Support EngineerPremier Enterprise SupportMicrosoft Corporation

  2. Agenda • Active Directory • Microsoft DNS • Distributed Security • System Management

  3. Active Directory • Architecture • Components • Planning AD Design

  4. AD Architecture • X.500 derived data model • Directory stored schema • Windows 2000 Trusted Computing Base security model • Delegated Administration Model • DNS integration

  5. AD Components (1/10) • Objects • Organizational Units (OUs) • Domains • Sites • Trees & Forests • Global Catalog

  6. Attributes An object instanceis created in theDirectory DirectoryObject AD Components (2/10)Objects ObjectClass Defined in the schema Data storage is allocated as necessary

  7. ACEs can apply to specific attributes ACE ACL Sales Managersread access AD Components (3/10)Object Access • Access to directory objects is controlled via Access Control Lists (ACLs) DirectoryObject • Fine granularity is provided by Access Control Entries (ACEs) that apply to specific attributes

  8. ou ou ou ou ou ou ou ou Deep or flat structure? ou ou AD Components (4/10)Organizing the Directory • A hierarchy of objects can be created using Organizational Units (OUs) • Although OUs are the primary containers used to create the hierarchy, all directory objects are potential containers

  9. Sales Managersread access UK Users Read Volume objects ACL UK User Admins Create Users ACL ACL Location1 Admins Reset passwords ACL Inheritable ACLs AD Components (5/10)OUs • OU security provides the mechanism for controlling object visibility and delegating administration OU

  10. Directoryhosted on all DCs Schema Sites Domain directory AD Components (6/10)Domains Configuration • One or more domain controllers • Multi-master replication • One or more sites

  11. Intra-site replicationautomatically configured Schedule Inter-site replication One or moresubnets One or moresubnets AD Components (7/10)Sites • Controls Active Directory replication • Site knowledge used • Logon locator • Printer locator and pruner • Dfs and more

  12. AD Components (8/10)Trees And Forests • Configuration and schema common to all domains • Transitive trusts link domains

  13. AD Components (9/10)Boundaries • Replication • Administration • Security Policy • Group Policy

  14. GC Partial replica of all domain objects Hosted on one or more DCs AD Components (10/10)Global Catalog • Enterprise wide searches • Resolves enterprise queries

  15. Planning AD Design (1/6)Considerations • Defining a logical hierarchy of resources • Administrative architectures • Allocation of physical resources and budget • Current infrastructure and upgrade strategies • Data availability requirements • Network bandwidth • Politics

  16. Planning AD Design (2/6) One Or More Forests • All domains in a forest share a common schema and global catalog • Create multiple forests if: • Separate schemas are required • One or more domains are required to be isolated from the spanning tree of transitive trusts • Total administrative autonomy is required

  17. Planning AD Design (3/6)Domain Structure • Where possible use a single domain • Use OUs to delegate administration • Use sites to tune replication • Use multiple domains when there is a requirement for • Scalability across WANs • Autonomous administrative entities • Different security account policies • password, lockout and Kerberos ticket

  18. Planning AD Design (4/6)Multiple Domains(1/3) • Containment of network traffic • Directory replication • Policies (FRS) • In-place upgrades from Windows NT domains • Autonomous divisions with separate names • No technical reasons, only politics • Names are not important

  19. Planning AD Design (5/6)Multiple Domains(2/3) • Each domain has an incremental overhead • Increased administration • Increased hardware • Separate DCs are required for each domain • Try to avoid creating divisional or departmental domains for purely political reasons • Change is inevitable, they are easy to create and hard to retire

  20. Planning AD Design (6/6)Multiple Domains(3/3) • Separate the production forest from development and testing • Prevents unwanted schema changes propagating through the enterprise • Create a separate forest to restrict access for business partners

  21. Microsoft DNS • Windows 2000 DNS Requirements • MS DNS Features • DNS Design

  22. DNS Requirements • A DNS server that is authoritative for a Windows 2000 domain MUST support SRV records (RFC 2052) • It also should support dynamic updates (RFC 2136) • The NETLOGON service on the domain controller automatically registers all of the domain services and the site that it supports

  23. MS DNS Features (1/12) • Active Directory integration • Dynamic Update • Aging • Administrative tools • Caching resolver

  24. MS DNS Features (2/12) Active Directory Integration • AD-integrated DNS zone is multi-master

  25. 1) Receive update 4) Read from ADS 2) Write to ADS ADS ADS 3) ADS replicates DNS DNS MS DNS Features (3/12) Active Directory integration “Primary” zones

  26. MS DNS Features (4/12) Active Directory integration • AD-integrated DNS zone is multi-master • High availability of write, as well as read • Doesn’t require separate from AD replication

  27. MS DNS Features (5/12) Active Directory integration • ADS replication is loosely consistent • Name-level collision • Two hosts create same name simultaneously (first writer wins) • Attribute-level collision • Two hosts modify A RRset for microsoft.com simultaneously (last-writer wins)

  28. MS DNS Features (6/12) Dynamic Update • Based on RFC 2136 • Client discovers primary server for the zone where the record should be added/deleted • Client sends a dynamic update package to the primary server • Primary server processes the update

  29. MS DNS Features (7/12) Dynamic Update • Windows 2000 computer registers • A RR with: • Hostname.PrimaryDnsSuffix (default) • and Hostname.AdapterSpecificDnsSuffix (if configured) • PTR RR if adapter is not DHCP configured or DHCP server doesn’t support DNS RR registration

  30. MS DNS Features (8/12) Dynamic Update • Windows 2000 DHCP server registers (based on draft-ietf-dhc-dhcp-dns-*.txt) • PTR records on behalf of upgraded clients (default) • A and PTR records on behalf of downlevel clients (default) • A and PTR records on behalf of upgraded clients (if configured) • Windows 2000 DHCP server removes records that it registered upon lease expiration

  31. MS DNS Features (9/12) Secure Dynamic Update • Based on draft-skwan-gss-tsig-04.txt • Available only on AD-integrated zones • Per -zone and -name granularity • ACL on each zone and name

  32. MS DNS Features (10/12) Aging/Scavenging • Enables deletion of the stale records in AD-integrated zones • Requires periodic refreshes of the records

  33. MS DNS Features (12/12) Caching Resolver • Windows 2000 service • Caches RRs according to TTL • Negative caching • Tracks transient/PnP adapters • Reorders servers according to responsiveness • Fewer round-trips, fewer timeouts, faster response time

  34. DNS Design (1/11)To support DC locator • DNS server authoritative for the DC records MUST support SRV RRs • Support for Dynamic Updates is recommended

  35. DNS Design (2/11) • Delegate a DNS zone for each AD domain to the DNS servers running on the DCs in that AD domain

  36. DNS Design (3/11) corp.example.com Zones: Primary AD-int “corp.example.com”

  37. DNS Design (4/11) corp.example.com Zones: Primary AD-int “corp.example.com” Domain1.corp.example.com Zones: Primary AD-int “Domain1.corp.example.com”

  38. DNS Design (5/11) • Delegate a DNS zone for each AD domain to the DNS servers running on a DC in that AD domain • Install a DNS server on at least two DCs in each AD domain and one DC in each site

  39. DNS Design (6/11) corp.example.com Zones: Primary AD-int “corp.example.com” Domain1.corp.example.com Site3 Site2 Site1 Zones: Primary AD-int “Domain1.corp.example.com”

  40. DNS Design (7/11) • Delegate a DNS zone for each AD domain to the DNS servers running on a DC in that AD domain • Install a DNS server on at least two DCs in each AD domain and one DC in each site • If different sites in the forest are connected over slow link, delegate the zone “_msdcs.<ForestName>” and make at least one DNS server in every site secondary for this zone

  41. DNS Design (8/11) corp.example.com Zones: Primary AD-int “corp.example.com” Primary AD-int “_msdcs.corp.example.com.” Domain1.corp.example.com Site3 Site2 Site1 Zones: Primary AD-int “Domain1.corp.example.com” Secondary “_msdcs.corp.example.com.”

  42. DNS Design (9/11) • Install a DNS server on at least two DCs in each AD domain and one DC in each site • Delegate a DNS zone for each AD domain to the DNS servers running on a DC in that AD domain • If different domains of the forest are connected over slow links, delegate the zone _msdcs.<ForestName> and make at least one DNS server in every site secondary for this zone • Each client should be configured to query at least two DNS servers one of which is in the same site

  43. DNS Design (10/11) corp.example.com Zones: Primary AD-int “corp.example.com” Primary AD-int “_msdcs.corp.example.com.” Domain1.corp.example.com Site3 Site2 Site1 Zones: Primary AD-int “Domain1.corp.example.com” Secondary “_msdcs.corp.example.com.”

  44. DNS Design (11/11)Hardware planning • Memory usage • No zones loaded ~4 MB • Each record requires ~100 bytes • Performance • Alpha 533 MHz dual-processor with 25% Processor utilization • 1600 queries and 200 dynupd/second • Intel P-II 400 MHz dual-processor with 30% Processor utilization • 900 queries and 100 dynupd/second

  45. Security Topics • Kerberos Integration with Windows NT • Security Provider Architecture • Public Key Security Components • Smart card logon and authentication • Encrypting File System • Security Policies and Domain Trust • Secure Windows NT Configuration

  46. Security Goals • Single enterprise logon • Integrated security services with Windows NT Directory Service • Delegated administrationand scalability for large domains • Strong networkauthentication protocols • Standard protocols for interoperability of authentication

  47. Authentication/ Authorization • Authenticate using domain credentials • User account defined in Active Directory • Authorization based on group membership • Centralize management of access rights • Distributed security tied to the Windows NT Security Model • Network services use impersonation • Object-based access control lists

  48. One Security Model: Multiple Security Protocols • Shared key protocols • Windows NTLM authentication: compatibility in mixed domains • Kerberos V5 for enterprise networks • Public key certificate protocols • Secure Sockets Layer (SSL) / Transport Layer Security (TLS) • IP Security • Multiple forms of credentials in the Active Directory

  49. 2. Uses LSA to log onto domain 3. Netlogonservice returnsuser and groupSIDs from domaincontroller NTLM Authentication Application server 1. NTLM challenge/response 4. Server impersonates client Windows NTDirectory Service Netlogon MSV1_0 Windows NT domain controller

  50. Kerberos Integration Client Server Kerberos SSPI providermanages credentials andsecurity context;LSA manages ticket cache Session ticket authorization data supports NT access control model Windows NTDirectory Server KDC relies on the Active Directory as the store for security principals and policy Key DistributionCenter (KDC) Windows NT Domain Controller