How to Succeed with Active Directory

Robert Williams, PhDCEO Secure Logistix Corporation

Presentation Outline

Demystifying Active Directory

Active Directory structure

Interoperability standards adherence

Common sense planning and deployment tips

What is a Directory Service?

Stated simply, a directory service is a listing

that helps organize and locate information

There are two primary components• Directory store for data

• Services that act on the data

Service functions include data replication,

security rule enforcement, data distribution …

and more

What is Active Directory?

Microsoft’s Windows 2000/.NET Server

implementation of directory services

Networked object store and service that

locates and manages resources

Authenticates authorized use of resource

objects by users according to defined

rules

Specific Enterprise Functions of AD

Stores data on every object and its attributes

Security - ACL authentication and domain trusts

Central point for enterprise administration

Mechanism for OS interoperability

Consolidation of divergent directory services

System to replicate object data

Active Directory Relationships

Active Directory treats everything as an object .. users, files, computers, devices, etc.

Access to object anywhere in enterprise is possible (assuming permission)

DNS resolves computer name during object query

LDAP (Lightweight Directory Access Protocol) resolves object locations

MIT Kerberos provides user authentication

Administration of Active Directory

Permits finite hierarchical management

Supports delegation of admin functions

Provides single point for enterprise

management

Supports open standards, APIs and scripting

Provides backward compatibility with

Windows NT and Novell Directory Services

Active Directory Structure

Active Directory divides itself into Logical and

Physical Structures

Logical Structures include components called

domains, trees, forests, organizational units

and the schema (containers for data)

Physical Structures include network defined

sites and domain controllers (data locations &

stores)

Logical Structure

Base components are objects and their

attributes

Schema – mechanism for storing object classes

Objects organized around hierarchical domain

model

Each domain has its own security permissions

and relationship with other domains

Active Directory Domain

Hierarchical infrastructure of networked computers

Domain – Computer systems and network resources that share common security boundary

Domain can cross physical locations and sites

Viewed as grouping of resources that use a common domain name (namespace)

Domain Trees

Multiple domains share common schema,

security relationship, Global Catalog

Identify domain tree by common,

contiguous namespace• Sales.xyz.com and research.xyz.com = child

domains to xyz.com domain

• Xyz.com is root domain for domain tree

Active Directory Domain Tree

Users logon directly to a Windows 2000

Domain tree

Domain.com

Sales.Domain.comProducts.Domain.com

Child Child

Root Domain

Domain Forest

Domain forests created when domain trees

with different namespaces form trust

relationship• Xyz.com & abc.com become tree when trust established

All trees within forest share common Global

Catalog, configuration, and schema

A forest has no unique name but is reference

point between trees

Active Directory Forest

User logs-on to his/her domain, but can

be granted access to any forest resource

Domain.com

Sales.Domain.comProducts.Domain.com

Child Child

Root Domain

Domain2.com

Sales.Domain2.comProducts.Domain2.com

Child Child

Root Domain

Organizational Units (OUs)

Domains can be divided into organizational units

Organizational units can nest within one another

Use OUs to reflect departmental divisions or

units with unique security and administrative

rights

Administrative delegation of resources easy to

apply to OU subsets

Active Directory OU

Organization Units (OU) are sub-

units within a domain

Domain.com

Sales.Domain.comProducts.Domain.com

Child

Root Domain

Sales.Domain.com

OU 1

OU 3 OU 4 OU 5

OU 2 OU 3

OU 3.Sales.Domain.com User logs on to OU3

Child Child

Physical Structure

Mechanism for data communication and

replication

Two primary components• Site – IP subnet network structural component

• Domain controller and Global Catalog – physical

server that stores and replicates data

Active Directory Site

Physical network structure of Active Directory

Purpose: provides method to regulate inter-subnet

traffic

Primary goal: rapid, economical data transmission

Do not define sites by location boundaries; define

by reliable communications

No formal relationship between site and domain …

they can cross each other

Domain Controller (DC)

Server containing copy of Active Directory

All domain controllers are peers that maintain replicated versions of active directory

DC locates resources and authenticates users

Global Catalog is special domain controller that contains abbreviated listing of objects for rapid indexing and locating resources

DC assigned to site at installation

Role of the Domain Controller

Every domain controller maintains

information as part of Active Directory• Data on every object and container object

• Metadata about other domains in tree or forest

• Listing of all domains in tree or forest

• Location of server with Global Catalog

Adherence to Industry Standards

Greater interoperability = open standards adherence• DNS Dynamic Update RFC 2052 2163

• Dynamic Host Configuration Protocol RFC 2131

• Kerberos v5 RFC 1510

• Lightweight Directory Access Protocol RFC 2251 1823

• LDAP Schema RFC 2247 2252 2256

• Simple Network Time Protocol RFC 1769

• Simple Mail Transfer Protocol RFC 821

• TCP/IP RFC 791 793

• X 509 v3 Certificates ISO X.509

Simplifying Planning/Deployment

Active Directory planning/deployment is large

task … but not overwhelming

Start by gathering organizational data

Design domain model on organizational

structure

Design site & domain controller requirements

based upon network connectivity

Gathering Organizational Data

Required data readily available• Start with organization charts to help define domains

& OUs

• Define what data resources are shared & restricted

• Ask HR for employee classifications for group policies

• Establish permissions based on common system needs

• Map physical locations & available connectivity

• Review where organizational shifts likely to occur

Domains vs. Organizational Units

Single domain with OUs is easiest to

manage

Single domain model many not meet

needs in more complex organizations

Generally, size & need for separate

identity are critical decision points

When to Use Domain Trees

Desire for decentralized management

Unique business activities dictate child

domains

Need to establish unique domain wide policies

In large organizations, child domains lend

themselves to localized vs. centralized control

When to Use Domain Forest Model

When separate domain names required

When radically different business activities

exist

When acquired organizations require trusts

during initial merging of operations

Joint venture or partnership arrangements

where resources & data must be shared

Restricting Domain Forest Trusts

Trusts between domains within tree are

bi-directional (transitive)

Trusts in forest established in one

direction at a time; NOT automatically

transitive

Set all trusts in forest explicitly

Conclusion

Active Directory is very powerful tool for

enhancing administration and security

Understanding basic logical & physical

structure is fundamental

Planning & deployment requires work

but not as overwhelming as press

reports

Further Information

Contact Robert Williams• bobw@SecureLogistix.com

References by Robert Williams

Forthcoming 2002

© Copyright Robert Williams 2002