Day 2 Active Directory

Objectives
After completing this module, you will be able to: Describe the functionality of AD DS in an enterprise in relation to identity and Access. Describe the major components of AD DS. Install AD DS and configure it as a domain controller.

Key points At the core of information protection are two critical concepts: identity & Access. In a secured system, each user is represented by an identity. In widows, this is User Account. Identity is called security principle, which is represented in system by an SID (Security Identifier) Many Windows resources, including significant files and folders on NTFS volumes, are secured by a security descriptor that contains a discretionary access control list (DACL) in which each permission takes the form of an access control entry (ACE). Authentication is process of verifying Users identity. In a workgroup model, all users & computers are stored in SAM (security accounts manager)registry database. Each machine has its own SAM. Active directory domain provides centralized identity store trusted by all domain members all computers that have an account in domain. AD LDS AD LDS is essentially a stand-alone version of Active Directory that applications access by using Lightweight Directory Access Protocol (LDAP). AD LDS is the replacement for Active Directory Application Mode (ADAM). The name of the previous version of the tool indicates its purpose: AD LDS is designed to provide support for directory-enabled applications. It can be used for applications that require a directory store, but do not require the type of infrastructure provided by an Active Directory domain. Each instance of AD LDS can have its own schema, configuration, and application partitions. This allows you to create a highly customized directory store without affecting your production IDA infrastructure, based on AD DS. Although AD LDS is not dependent on AD DS, in a domain environment, AD LDS can use AD DS authentication of Windows security principals, such as users, computers, and groups. AD LDS can be configured in a domain or non-domain environment, and it is even possible to run multiple instances on a single system, each with its own unique LDAP and Secure Sockets Layer (SSL) ports to ensure secure connection with each instance. AD CS AD CS extends the concept of trust so that a user, computer, organization, or service can prove its identity outside or inside the border of your Active Directory forest. Certificates are issued from a certificate authority (CA). When a user, computer, or service uses a certificate to prove its identity,

the client in the transaction must trust the issuing CA. A list of trusted root CAs, which includes VeriSign and Thawte, is maintained by Windows and updated as part of Windows Update. The certificates can be used for numerous purposes in an enterprise network, including the creation of secure channels such as the SSL example mentioned in the AD LDS section. Additionally, the certificates can be used for virtual private networks (VPNs), wireless security, and authentication, such as smart card logon. AD CS provides technologies and tools that help create and manage a public key infrastructure (PKI). Although AD CS can be run on a stand-alone server, it is much more common and much more powerful to run AD CS integrated with AD DS, which can act as a certificate store and provide a framework to manage the lifetime of certificateshow they are obtained, renewed, and revoked. AD RMS AD RMS creates a framework with which you can ensure the integrity of information, both within and outside your organization. In a traditional model of information protection, ACLs are used to define how information can be accessed. For example, a user may be given the Read permission to a document. However, there is nothing to prevent that user from performing any number of actions after that document is opened. The user can make changes to the document and save it in any location, print the document, or forward the document by email to a user who otherwise does not have Read permission to the document. AD RMS addresses these and other such scenarios by enforcing information use policies. AD RMS accomplishes this by using licenses and encryption to protect information and by having rights managementenabled applications that can consume the licenses, create usage policies, open protected content, and enforce usage policies. AD FS AD FS allows an organization to extend the authority of the directory service for authenticating users across multiple organizations, platforms, and network environments. The traditional Windows domains-trust relationship creates a trust in which the trusting domain allows the trusted domain to authenticate users, but the result is that all users in the trusted domain are trusted. Moreover, to maintain a trust, several firewall exceptions must be made that are not agreeable to many organizations and certainly not suitable for supporting Web-facing applications. To overcome this problem, AD FS can be configured to maintain trusts by using common ports such as 80 and 443. AD FS is extremely useful for extending a directory's authority in business-to business and partnership scenarios, as well as for supporting single sign-on web applications. Organizational units A particularly useful type of directory object contained within domains is the organizational unit. Organizational units are Active Directory containers into which you can place users, groups, computers, and other organizational units. An organizational unit cannot contain objects from other domains. An organizational unit is the smallest scope or unit to which you can assign Group Policy settings or delegate administrative authority. Using organizational units, you can create containers within a domain that represent the hierarchical, logical structures within your organization. You can then manage the configuration and use of accounts and resources based on your organizational model. Group Policy

Group Policy in part controls what users can and cannot do on a computer system, for example: to enforce a password complexity policy that prevents users from choosing an overly simple password, to allow or prevent unidentified users from remote computers to connect to a network share, to block access to the Windows Task Manager or to restrict access to certain folders. A set of such configurations is called a Group Policy Object (GPO).

Group Policy Objects are processed in the following order (from top to bottom):[ 1. Local - Any settings in the computer's local policy. Prior to Windows Vista, there was only one local group policy stored per computer. Windows Vista and later Windows versions allow individual group policies per user accounts. 2. Site - Any Group Policies associated with the Active Directory site in which the computer resides. (An Active Directory site is a logical grouping of computers that is meant to facilitate management of computers based on their physical proximity.) If multiple policies are linked to a site, they are processed in the order set by the administrator. 3. Domain - Any Group Policies associated with the Windows domain in which the computer resides. If multiple policies are linked to a domain, they are processed in the order set by the administrator. 4. Organizational Unit - Group policies assigned to the Active Directory organizational unit (OU) in which the computer or user are placed. (OUs are logical units that help organizing and managing a group of users, computers or other Active Directory objects.) If multiple policies are linked to an OU, they are processed in the order set by the administrator.