Sie sind auf Seite 1von 42

MCTS Guide to Configuring

Microsoft Windows Server 2008

Active Directory

Chapter 4: Active Directory Design and

Security Concepts
Work with organizational units
Work with forests, trees, and domains
Describe the components of a site

Working with Organizational Units

Benefits of using OUs: (Memorize only 3)

You can create familiar hierarchical structures based on an
organizational chart to allow easy resource access
Delegation of administrative authority
Able to change OU structure easily
It can group users and computers for the purposes of assigning
administrative and security policies
It can hide AD objects for confidentiality or security reasons

Working with Organizational Units

OU Delegation of Control
Delegation of control means a person with higher security
privileges assigns authority to a person of lesser security
privileges to perform certain tasks
Allows specific control of what someone with delegated
control may do.
Commonly delegated tasks include: (Memorize only 4)
Create, delete, and manage user accounts
Reset user passwords and force password change at next logon
Read all user information
Create, delete, and manage groups
Modify the membership of a group
Manage group policy
Generate Resultant Set of Policy (Planning)
Generate Resultant Set of Policy (Logging)
OU Delegation of Control (cont.)
Custom tasks can be created for delegation as well,
but you must fully understand the nature of objects,
permissions, and permission inheritance.
Knowledge of permissions and how they work is
important regardless of whether you use custom
tasks or not
By default, the OUs properties dont show that
another user has a delegated control.
Instead, to verify who has a delegated control of an
OU, you must view the OUs permissions.
Activity 4-1 pg. 115-Creating a single-level OU
Activity 4-2 pg. 116-Delegating Control of an OU.
Active Directory Object Permissions
Three types of objects can be assigned permission
to access an AD object: Users, groups, and
computers. These object types are referred to as
security principals.
AD objects security settings are composed of three
Discretionary access control list (DACL)
Each entry referred to as an access control entry (ACE)
Object owner
Usually the user account that created the object or a group or user
who has been assigned ownership.
System access control list (SACL)
Defines the settings for auditing access to an object

Active Directory Permissions (cont.)
Each object has a list of standard permissions and a
list of special permissions.
Each permission can be set to Allow or Deny, and five
standard permissions are available for most objects:
(Memorize only 3)
Full control-Users have full control permissions
Read- Users can view objects and their attributes and
Write- Users can change the objects attribute.
Create all child objects- Users can create new child objects in the
parent object.
Delete all child objects- Users can delete new child objects in the
parent object.
Active Directory Permissions (cont.)
Users can be assigned permission to an object in
three different ways:
Users account is added to the objects DACL, a method referred
to as explicit permission.
A group the user belongs to is added to the objects DACL
The permission is inherited from a parent objects DACL to which
the user or group account has been added.
A users effective permissions are a combination of
the assigned permissions.
Deny permissions override Allow permissions pg.118.
Except: when the Deny permission is inherited from a parent
object, and the Allow permission is explicitly added to the objects
DACL, the Allow permission takes precedence

Using Deny in an ACE
If a security principal isnt represented in an
objects DACL, it doesnt have access to the object.
Deny permissions are not required for every object
to prevent access.
Deny permissions usually used in cases of
exception, such as when you dont want a user to
be able to delete child objects in an OU, but still
want to grant him access to manage other objects
in the OU. Pg. 118

Permission Inheritance in OUs
Permission inheritance defines how
permissions are transmitted from a parent object to
a child object
All objects in AD are child objects of the domain
By default, permissions applied to the parent OU
with the Delegation of Control Wizard are inherited
by all child objects of that OU

Advanced Features Option in Active
Directory Users and Computers
Default settings in AD Users and Computers hide
some system folders and advanced features, but
you can display them by enabling the Advanced
Features option from the view menu. Afterwards,
four new folders are shown under the domain
Program Data
NTDS (NT Directory Service)

Advanced Features Option in Active
Directory Users and Computers (cont.)
Properties dialog box of domain, folder, and OU
objects will now have three new tabs:
Used to view detailed information about a container object
Used to view and modify an objects permissions
Attribute Editor
Used to view and edit an objects attributes.

Activity 4-3 Pg. 119 Viewing Object Permissions.

Effective Permissions
Effective permissions for an object are a
combination of the allowed and denied permissions
assigned to a security principal.
It can come from assignments made directly to a
single user account or to a group the user belongs
Explicit permissions override inherited permissions,
and can create some exceptions to the rule that
Deny permissions override Allow permissions

Effective Permissions (cont.)
Most common settings for permission inheritance:
This object only
The permission setting isnt inherited by child (descendant
) objects.
This object and all descendant objects
The permission setting applies to the current object and is inherited
by all child objects
All descendant objects
The permission setting doesnt apply to the selected object but is
inherited by all child objects
Descendant [object type] objects
The permission is inherited only by specific child object types, such
as user, computer, or group objects.
Permission inheritance is enabled by default on child
objects, but it can be disabled.
Activity 4-4 pg. 123 Working with Permission
Activity 4-5 pg. 124 Determining Effective Permissions.15
Working with Forests, Trees, and Domains

Smaller organizations will most likely be focused on

OUs and their child objects, whereas larger
organizations might require an AD structure
composed of several domains, multiple trees, and
even a few forests
First domain controller creates more than just a
new domain, it also creates the root of a new tree
and the root of a new forest
May eventually become necessary to add domains to the tree,
create new trees or forests, and add sites to the AD structure

Active Directory Terminology
Active Directory Replication
Trust Relationships

Active Directory Replication
Replication is the process of maintaining a consistent database
of information when the database is distributed among several
Intrasite replication
Replication between domain
controllers in the same site.
Intersite replication
Occurs between two or more sites
Multimaster replication
Used by AD for replicating AD objects,
such as user and computer accounts, which means any changes in these
objects can occur on any domain controllers and are replicated to all other
domain controllers.
Knowledge Consistency Checker (KCC) runs on all DCs
Determines the replication topology, which defines the domain controller
path that AD changes flow through.

Active Directory Replication (cont.)

Trust Relationships
In Active Directory, a trust relationship defines
whether and how security principals from one
domain can access network resources in another
Since Windows 2000 AD, trust relationships are
established automatically between all domains in
one forest while the trust between 2 or more forests
must be configured manually.
Trust is different than permissions, if there is no
trust relationship between domains, there will be no
access across domains even if a user has certain
The Role of Forests
All domains in a forest share some common
characteristics: (Memorize only 3)
A single schema- AD objects and their attributes.
Forestwide administrative accounts- Two groups exist with
different rights: Schema Admins and Enterprise admins.
Operations masters: A designated domain controller in a forest
can perform certain roles.
Global Catalog-Contains information about all objects in a
forest, it is used to speed searching for objects across domains
in the forest and to allow users to login to any domains in the
Trusts between domains- Allow users to logon to their home
domains and access resources in all domains within a forest.
Replication between domains- Facilitate replicating important
information in all domain controllers within the forest.
The Importance of the Global Catalog Server
First DC installed in a forest is automatically
designated as a Global Catalog server, but
additional global catalog servers can be configured
as well.
Global Catalog servers perform the following vital
Facilitates domain and forestwide searches.
Facilitates logon across domains; Users can log on to
computers in any domain by using their user principal name

Activity 4-7 pg. 131 Configuring a Global Catalog Server

Forest Root Domain
First domain is the forest root and is referred to as
the forest root domain.
Functions of the forest root domain usually are:
DNS server
Global catalog server
Forestwide administrative accounts
Operations masters

Forest Root Domain (cont.)

Forest Root Domain (cont.)
Due to the importance of the forest root domains
functionality, some organizations choose a
dedicated forest root domain.
The advantages of running a dedicated forest root
domain include the following:
More secure
More manageable
More flexible

Choosing a Single or Multiple Forest
Most organizations operate under a single AD forest, which
has a number of advantages:
A common Active Directory structure
Easy access to network resources
Centralized management
The advantages of single forest structure has also limitations
in many aspects; diversity within an organization may make
single forest design impossible. Multiple forest design
includes the following advantages:
Security boundaries
Separate administration

Understanding Trusts
Trusts allow users in one domain to access
resources in another domain, without requiring a
user account on the other domain
Types of trust:
One way and two way trusts
Transitive trusts
Shortcut trusts
Forest trusts
External trusts
Realm trusts

Understanding Trusts (cont.)
One way trust

One Way and Two-Way Trusts
One-way trust exists when one domain trusts
another, but the reverse is not true
When domainA trusts domainB, users in domainB may access
resources in domainA but not vice versa.
In this case domainA is the Trusting domain and domainB is
the Trusted domain
More common is the two-way trust, in which users
from both domains can be given access to
resources in the other domain

Transitive Trusts
A transitive trust is named after the transitive rule of
equality in mathematics: If A=B and B=C, then A=C
If one domain trusts another domain, and that
domain trusts a third domain, then the first domain
has a transitive trust with the third domain. For
example If domain A trusts domain B and domain B
trusts domain C, then domain A trusts domain C.

Transitive Trusts (cont.)

Shortcut Trusts
A shortcut trust is configured manually between
domains to bypass the normal referral process
Shortcut trusts are transitive and can be configured
as one way or two way trusts between domains in
the same forest.

Shortcut trusts (cont.)

Forest Trusts
A forest trust provides a one-way or two-way transitive
trust between forests that allows security principals in one
forest to access resources in any domain in another forest
Are not possible in Windows 2000 forests
They are transitive in the sense that all domains in one
forest trust all domains in another forest, but the trust isnt
transitive from one forest to another. For example, if a
forest trust is created between Forest A and Forest B, all
domains in Forest A trust all domains in Forest B. If
theres a third forest, Forest C, and Forest B trusts Forest
C, a trust relationship isnt established automatically
between Forest A and Forest C. A separate trust must be
configured manually between these two forests.

External Trusts
An external trust is a one way or two way
nontransitive trust between two domains that arent
in the same forest. Generally used in these
To create a trust between two domains in different forests
To create a trust with a Windows 2000 or Windows NT domain-
You cant create a forest trust between a Windows Server 2008
or 2003 forest and a Windows 2000 forest or Windows NT
domain. An external trust must be used to create the trust
relationship between domains.

Realm Trusts
Can be used to integrate users of other OSs into a
Windows Server 2008 domain or forest.
This requires the OS to be running the Kerberos V5
authentication system that AD uses
Kerberos is an open-standard security protocol
used to secure authentication and identification
between parties in a network

Designing the Domain Structure
Most small and medium businesses choose a
single domain for reasons that include the
Lower costs
Easier management
Easier access to resources

Understanding Sites
AD site represents a physical location where DCs
are placed and group policies can be applied
First DC of a forest creates a site named Default-
First-Site-Name once installed.
Three main reasons for establishing multiple sites:
Authentication efficiency
Replication efficiency
Application efficiency
Sites are created using Active Directory Sites and

Understanding Sites (cont.)

Site Components
Each site is associated with one or more IP subnets, and a subnet can
only be associated with a single site
Site Links
A site link is needed to connect two or more sites for replication
Determine replication schedule and frequency between two sites

Activity 4-9-pg 142: Creating a Subnet in Active

Directory Sites and Services.
Chapter Summary
Active Directory is based on the X.500 and LDAP
standards, which are standard protocols for defining,
storing, and accessing directory service objects
OUs, the building blocks of the AD structure in a domain,
can be designed to mirror a companys organizational
chart. Delegation of control can be used to give users
some management authority in an OU.
Large organizations might require multiple domains,
trees, and forests
Directory partitions are sections of the AD database that
hold varied types of data and are managed by different

Chapter Summary (cont.)
The forest is the broadest logical AD component. All domains
in a forest share some common characteristics, such as a
single schema, the global catalog, and trusts between
Trusts permit domains to accept user authentication from
another domain and facilitate cross-domain and cross-forest
resource access with a single logon
A domain is the primary identifying and administrative unit of
AD. Each domain has a unique name, and theres an
administrative account with full control over objects in the
An AD site represents a physical location where domain
controllers reside.