Control Access To Domain Objects O Objects example essay topic
2,627 words
ACTIVE DIRECTORY OUTLINE Active Directory is the flagship component of Windows 2000 Server and Advanced Server From logon to application installation o Definition of Directory o Directories have been around since the 60's o Current examples are: o Domain Name System (DNS) o Windows Internet Name Service (WINS) o Novell Directory Services (NDS) o A database used to store and organize data What is a Directory Service? o A stored collection of information about defined objects that are related to each other in some way o Telephone directory - stores names of entities and telephone numbers o In a modern computing environment many objects need to be located and used: o Serverso Printerso Fax Serverso Databases Admins and users must be able to locate and use these object so A directory service stores all the information needed to use and mange these objects centrally o Provides the means of storing the information AND the services making this information available to users o It is the main switchboard and central authority of your network operating system that; o Manages the identities o Controls the relationships (access) between resource so Because of this it must be tightly coupled with the OS's management and security mechanisms to be effective. o Allows the definition and maintenance of the network infrastructure o Allowing system admin o Control the user experience Why Have a Directory Service? o A simplified and centralized means of organizing and administering access to resources of a network o NT 4 Domains, flat and very limited o Users only need to know attributes of an object to find something (provided they were added!) o Is an administrative and end user tool o Other Functions o Enforce security o Distributes a Directory across many computers in the Network o Replicate information to make it available and resist failure o Partitioning allows multiple stores across a network for larger amounts of data and allow for more space Simplified Administration Resources organized hierarchically in Domains o A Domain has one or more linked Domain Controllers o A change made to one DC is made to all DC's in the Domain o A single point of admin for all objects in the networkScalabilityo Directory can be broken into sections to allow for a large number of objects o Can easily be expanded (or contracted) Open Standards Supporto Uses DNS for it's name system o Integrate the internet concept of a name space o Allows you to unify and manage multiple name spaces that (if they) already exist o Can exchange information with any app or directory that uses LDAP or HTTP DNSo W 2 K (Active Directory) are DNS names o Dynamic DNS allows auto update of DNS table Support for LDAP and Http LDAP o Version of the X. 500 directory access protocol o AD supports LDAP 2 and 3 o HTTP support can display every object in a web browser Support Standard Name Formats RFC 822 o Someone@Domain o HTTP Uniform Resource Locator (URL) o http: //domain / path -to-page Universal Naming Convention (UNC) o. doc o LDAP URL o LDAP: //server. domain. com / CN = first name, OU = admin, OU = Division, DC = services Directories must address four business principles: o Cost o Business decisions are based on return on investment and expected result at a given cost o Perceived value must outweigh the actual cost so Security o "Money is Power" has changed to "Information is Power" o Information includes competitive and proprietary data o This information must be secure Reliability o Uptime is the key word in business networks o If the information is not available... it is of no value Performance o Good network design can produce results o Bad design impacts the ability to perform Before Directories Network operating systems (NOS) were server based o Account management done on a server-by-server basis o Each server maintained its own list of user accounts o Accounts database o Each server also maintained a list of user permissions o Access Control List (ACL) o Server-based networking does not scale! Windows NT solution Small groups of servers share one list of users o Central accounts database o Single point of management for administration o Domain-based networking but still does not scale In a Domaino All user information is stored in a single place and managed with a single set of tools o Users can access the network via a single account Network Directory Environmento Holds ALL user and resource information across the entire network o Users ARE resources Network directories o are databases that hold network information including: o User account info (logon names, passwords, restrictions) o User personal info (phone numbers, addresses, employee ID numbers) o Peripheral configuration info (printers, modems, faxes) o Applications configurations (Desktop preferences, default directories) o Security information o Network infrastructure configuration (routers, proxies, Internet access settings) o Information stored in a centrally controlled, standards-based database o Becomes the central control point for many different network processes. User Logon Client software will request authentication from the directory o Directory service will identify if the account name is valid o Check for a password o Validate the submitted password o Check for any restrictions on the account o Determine if the logon request should be granted Resource access Directory queried each time user tries to access a network access o Directory authenticates the request o Determines if user has appropriate permissions o Returns resource's physical address to the client Personal preference so Upon logon; Desktop settings, default printer, home directory location, application icons are downloaded to whatever computer the user logs on from o All settings are centrally located o Can be centrally controlled Network Directories - Active Directoryo Contains information used to access, manage or configure a network o Records are called objects o Definition of how those records are formed and what properties are available is stored in the schema o Extensible because the schema can be modified o Is a hierarchical not relational database o Objects are contained in multiple classes Central Database of Network Resources Object classes have properties pertaining to their function o All information about all network resources in a single database has advantages o Administrators have a single interface o Reduced learning curve for new personnel o Reduced redundant management o Extensible as new object classes can be created o Classes can be modified by developers For Administrators Only one user account per user o Simpler hardware setup - configuration can be copied to multiple pieces of hardware o Database can be replicated for redundancy For Users Single sign-on o Application self-management / restoration o Modeled after the company business structure Active Directory component so Security subsystem o Applications running in user mode do not have direct access to the operating system or hardware o Each request for resources must be passed through various components to determine whether the request is valid o Access control lists protect objects in the AD structure o Security infrastructure has four functions o To store security policies and account information o To implement and enforce security models o To manage authentication requests to AD objects o To store and manage trust information o Directory Service Module o Multiple components that work together to control access to the actual database itself o Agents layer o Directory System Agent layer o Database layer Active Directory Structureo How the information is stored in the database o Built on X. 500 recommendations o X. 500 is not a standard but a recommendation for organizing directories o X. 500 originally developed along the OSI model The goal of the specification was to provide a mechanism that would give products from different vendors the capability to access and share information o What is defined is a common method of organizing, naming and accessing information o Recommendation includes defining the hierarchical structure; referred to as the directory tree. 500 hierarchical Structureo Two main goals for structure design o Object identification - ensures each object has some sort of unique identified o Object organization - allows the data to be broken into subsets for administrative proposes X. 500 Tree Structure defines differ ent types of container objects, like leaves on a tree o Country - "C" object o Highest container object in the schema o Organization - "O" object o Can only exist off the root of the tree or below a country o Location - "L" object o Grouping object that can exist at any level of the tree except directly below the root o Organizational unit - "OU" object o Grouping object that can exist under O's or OU " 's Building Active Directory Trees Objects used to build a tree o Functional objects o Concepts Active directory provides a method for designing a directory structure Show you the objects to be found in Active Directory and the functions of it's components: o Building Blocks Objects Schemao Components Functionality Replication Global Catalogo Trust Relationships DNSObjectso An object is a distinct names set of attributes that represents a network resources Typical Object ClassesoUser accountsoGroupsoComputersoDomainsoOrganizational Unitso NOTE: Some objects are containers which can contain other objects.
Schemao Is a list of definitions that defines objects that can be stored in Active Directoryo There are two types of definition so Attributeso Classes (objects) o Attributeso Are defined only on ceo Can be used in multiple classes Classes (Objects) 0 also referred to as object classes Describe the possible AD objects that can be create do Is a collection of attribute so Example: o The user class is composed of many attributes, Firstname Lastname, home directory, email addresses, etc. o You can extend the schema by adding more classes and attributes for each classComponentso AD uses components to build a directory structure that fits your organization The logical structures of your organization are represented by the following components: oDomainsoOrganizational Units (OU's) oTreesoForestso The physical structure is represented by o Sites (Physical Subnets) o Domain Controllers Logical Structureso In AD you organize resources in a logical structure that mirrors the logical structure of the organization o Grouping logically enables you to: o Find a resource by it's name rather than a physical location o The physical network is (should be) completely transparent to usersDomainso Core unit of logical structure in AD o Can store millions of objects o Objects stored in a Domain are those which are interesting to the network o All network objects exist within a Domain o Each Domain stores info only about objects it contains o Domains can span more than one physical location Is a security boundary o Access control lists (ACL's) control access to Domain objects o Objects protected this way include: o Files Folder so Shareso Printers Organizational Unitso Is a container used to organize objects within a Domaino OU's can contain: o User account so Groups Computers Printerso Applications File Shareso Other OU " so All objects must be from the same Domaino Each OU hierarchy within a Domain is totally independent of any other Domain structure OU's can provide a means of handling admin tasks, they are the smallest scope to which you can delegate admin authority Reflect the structure within the Domaino Delegate Admin Control Easier to move users between OU's rather than Domaino Group objects to locate similar resources and simplify admin and locating object so Restrict visibility of network resource so Guidelines Shallow trees perform better OU's should represent structures which are not subject to changeTreeso A hierarchical arrangement of one or more Domains Domains in a tree share: oA contiguous name spaceoHierarchical naming structure Share the following characteristic so Domain name of the child Domain is the relative name of that child Domain appended with the name of the parent Domaino All Domains share a common schema o All Domains share a global catalogForestso Have the following characteristics o Share a common schema o Tress have a different naming structure (according to their Domain) o All Domains in a forest share a global catalog o Domains in a forest operate independently, but a forest enable communication across the organizations structure o Implicit two way transitive trust exists between Domains and Domain trees Distributed, Replicated Directory Database AD is broken into pieces called partitions o Partitions are placed on servers close to the users that use them o Fault tolerance is provided by replicating those partitions to multiple servers The Business Case Active Directory allows users and administrators to see their network as a logical set of resources o Design of the infrastructure relates to the physical network o Two sets of standards or models are considered: o Geographic model - determined by the number of physical locations and the connectivity between them o Three levels of models; regional, national & international o Business model - refers to the business relationship between sites and services o Determine the relationship between location and its relationship to the company Focusing on the Business Modelo Analysis of more than just bandwidth o Political relationships o Uses for the network (just email or real time database access) o Similarities and differences between the sites - physical makeup and management philosophy Corporate offices vs. branch offices vs. subsidiary offices Analyzing the Business Environmento Departmental model - traditional method of managing a business o Project-Based model - "new age" management - company is broken into small groups or teams which contain all the resources they need to support a project o Product / Service-Based model - groups are organized to support specific products or services o Cost Center model - hybrid of the above - groups are divided across cost centers Analyze the Existing and Planned Organizational Structureso Management model o Company Organization o Vendor, partner and customer relationships o Acquisition plans o Analyze Factors that Influence Company Strategieso Identify: o The company priorities o The projected growth and growth strategy o The relevant laws and regulation so The company's tolerance for risk The total cost of operations Analyzing the IT Environmento Type of Administration - central or de-centralized o Funding model o Outsourcing o Decision-making process o Change-management process Evaluate the company's existing and planned technical environment Analyze performance requirements o Analyze data and system access patterns o Analyze network roles and responsibilities o Analyze security considerations Analyze the impact of AD on the existing and planned technical environment Assess existing systems and applications o Identify existing and planned upgrades and roll outs o Analyze technical support structure o Analyze existing and planned network and systems management Active Directory Naming Strategieso Establish the scope of the Active Directory o Design the Plan DNS strategy Design the placement of DNS server so Considerations include: o Performance o Fault tolerance o Functionality o Manageability o Plan for interoperability with the existing DNS Planning a Domain and OU Structureo Design an AD forest and domain structure o Design a forest and schema structure o Design a domain structure o Analyze a optimize trust relationships o Design and plan the structure of organizational units (OU) o Considerations include: o Administration control Existing resource domain so Administrative policy Geographic and company structure Develop an OU delegation plan o Plan Group Policy object management o Plan policy management for client computersSummaryo Access to all resources is managed through a single database o Point of initial logon to using a printer is controlled by the AD directory o All resources include identified permissions o Network can be viewed as a single system rather than a series of connected resources o Network based verses server or domain based management o Active Directory as a Service o The Active Directory service uses the Active Directory database to provide functionality o Without the service the database could not be accessed
Bibliography
Active Directory in Windows 2000 web Server 2003 Active Directory web.