Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

Active Directory Basics

No description
by

Akash Nema

on 21 September 2014

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Active Directory Basics

User Profiles
The Basics
ACTIVE DIRECTORY
Active Directory is a registered trademark of Microsoft.
Active Directory is a database that stores information about users, computers, and network resources and makes the resources accessible to users and applications.
Why do I need Active Directory?
Office 2
Office 3
Office 4
Permissions
NTFS Permissions
Accessing network resources such as file shares will be a challenge.

Security concerns

No or very little control over local user accounts on the computers.

As more and more users and computers are added management becomes complex

Guest users will be limited to Workgroup and can be prevented from accessing resources of the domain.




Computer is a member of a Workgroup (default).
Users authenticate locally to the computer.
Credentials are stored on the computer.
All computers are peers; no computer has control over another computer.
Each computer has a set of user accounts. To log on to any computer in the workgroup, you must have an account on that computer.
There are typically no more than twenty computers.
A workgroup is not protected by a password.
All computers must be on the same local network or subnet.







In Workgroup

A profile is a collection of settings and documents that define a user's work environment.
Profile includes the following user specific settings:
Changes made to the application layout
Changes to the system settings that are unique to user experience such as Desktop Background, screen saver, keyboard layout, mouse orientation and printer properties preferences.
Profiles do not include:
Machine-wide settings like Firewall settings
Personal data in the profile can be stored on Desktop and the associated folders such as My Documents, Downloads etc.
Types of Profiles
Local
Roaming
Mandatory
Super Mandatory
Stored on and used from a single computer and store data in NTUSER.DAT
Stored on and used from a network share
Stored on and used from a network share but are read only
Same as Mandatory except that you cannot logon when the network share is not available.
Is logon possible when network is not available?
Local profiles are fast to load.
Loading of Roaming profiles are dependent on connection speed, server load etc.
Loading of Mandatory profiles is same as Roaming.
Logoff is improved as changes are discarded at logoff.
Performance
How new profiles are created?
Depends on the type of profile being used..
Local
Copy local default profile on the computer that the user logs on to.
Roaming
Copy local default profile on the computer that the user logs on to.
If computer is the member of a domain the default profile can be at:
Network default user profile on Netlogon share
Local default profile
Mandatory
Data is stored in HKCU only for the duration of the session.
User Profile Service
NTUSER.DAT
Logon
Logoff
C:\Users\shitizb\NTUSER.DAT
C:\Users\shivangim\NTUSER.DAT
C:\Users\sanayam\NTUSER.DAT
C:\Users\akanksham\NTUSER.DAT
Logon
Logoff
Logon
Logoff
Logoff
Logoff
Logon
Logon
Session 1
Session 2
Session 3
Session 4
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Profile List
contains a list of all profiles cached on the computer
AppData
Default root location for user application data and binaries.
Contacts
Used to store contact information and is also the address book for Windows Mail, the successor to Microsoft Outlook Express (Windows Mail is not included in Windows 7 or Windows Server 2008 R2).
Desktop
All items stored on the desktop, including files and shortcuts.
Documents
Default root location for all user-created files (spreadsheets, text documents, and so on).
Downloads
Default location for all files downloaded using Windows Internet Explorer.
Favorites
Bookmarked Uniform Resource Locators (URLs) in Internet Explorer.
Links
File and folder shortcuts; these show up under the Favorites menu on the left side of an Explorer window.
Music
Default root location for all music files.
Profile Content External to Registry
Using mandatory and roaming profiles is the tradeoff of flexibility versus control.
Mandatory profiles do not allow saving to anyone. Neither Users nor Applications
Use Folder Redirection to redirect the folders such as Desktop and Documents.
Keep the size of the profile to minimum to speed up logon times; Set an upper limit on the size.
A small profile size also speeds up logoff time.
Cache the profiles to speed up logon times but a large profile consumes disk space.
Profile cache isn’t used if the original roaming profile is available, but it can speed up logons in the case of slow or absent network connections.
Facts
Creating a Roaming Profile
1. Create a network share on a file server to store the roaming profiles.

2. Configure the user accounts to use roaming profiles.

3. Have each user log on and create the roaming profile.
Creating a Network Default Profile
1. Log on to the server with an admin account.
2. Browse to the netlogon share on the domain controller: \\DOMAIN CONTROLLER\
NETLOGON
3. Create a folder in the NETLOGON share and name it Default User.v2.
4. From Server Manager, click Change System Properties, navigate to the Advanced tab,
and then click the Settings button in the User Profiles section.
5. Select the Default Profile from the list of profiles stored on the server and click Copy To.
6. Browse to or type the network path \\DOMAIN CONTROLLER\NETLOGON Default
User.v2.
Ensure that the profile doesn’t contain any unnecessary data.
Share Permissions
NTFS permissions are permissions as a whole
A shared resource provides access to applications, data, or a user's personal data
Apply only to users who gain access to the resource over the network. Does not apply to users who log on locally, such as on a terminal server.
Apply to all files and folders in the shared resource
Specify the maximum number of users who are allowed to access the shared resource over the network
Permissions are Read, Change and Full Control
Provide much more granularity to control the access to the resources.
Are only available to a drive formatted with NTFS file system.
Affects local users as well as network users
Are based on the permission granted to each individual user at the Windows logon
Provide excellent access control via Explict and Implicit Permissions
Active Directory Domains and Trust
Trust
When authentication mechanism for each domain trusts the authentication mechanism for all other trusted domains, then there are trust relationships between domains
Users in one domain can also be authenticated and authorized to use resources in another domain.
When a trust exists between two domains, the authentication mechanisms for each domain
trust the authentications coming from the other domain.
Trusts are authentication pipelines that must be present in order for users in one domain to access resources in another domain.
Types of Trusts
Default Trusts
Parent and child
Tree-root
External
Realm
Forest
Shortcut
Secure Channel
The secure channel is used to provide authentication, obtain and verify security information, including security identifiers (SIDs) for users and groups.
The direct trust path between the domain members and the domain controllers is known as a secure channel.
The trust path is implemented by the Net Logon service through an authenticated remote procedure call (RPC) connection to the trusted domain authority
A trust does not inherently allow users in a trusted domain to have access to resources in
a trusting domain. Users have access when they are assigned the appropriate
permissions.
Clients are not able to access resources in a domain outside the forest.
A failure occurred on the external trust between the domains.
There are trust errors between servers and workstations.
There is incorrect time synchronization between domain controllers or workstations, the server might be down, or the trust relationship might be broken.
NETDOM TRUST <trusting_domain_name> /d: <name of the trusted domain>
/Kerberos /UserO:<User account for making the connection with the trusted
domain> /PasswordO:<Password of the user account specified by /UserO >
/UserD:<User account used to make the connection with the domain
specified by the /domain argument >
/PasswordD:<trusted_domain_user_password>
Issues
As more and more users and computers are added management becomes complex
No or very little control over local user accounts on the computers.
Security concerns
Accessing network resources such as file shares will be a challenge.
Guest users will be limited to Workgroup and can be prevented from accessing resources of the domain.
A computer running on Windows OS can either be a member of a Workgroup or a Domain.
Joining a computer to an AD domain creates an account in the domain for the computer. This allows the computer to exist as a controllable, configurable, authenticated, individual in the domain.
In Workgroup
Computer is a member of a Workgroup (default).
Users authenticate locally to the computer.
Credentials are stored on the computer.
All computers are peers; no computer has control over another computer.
Each computer has a set of user accounts. To log on to any computer in the workgroup, you must have an account on that computer.
There are typically no more than twenty computers.
A workgroup is not protected by a password.
All computers must be on the same local network or subnet.
In Domain
Computer is a member of a Domain
Domain Users as well as the Computer authenticates to the domain.
User credentials are stored on the domain controller as well as locally.
Network access is seamless across the domain.
Domain users must provide a password or other credentials each time they access the domain.
If you have a user account on the domain, you can log on to any computer on the domain without needing an account on that computer.
You probably can make only limited changes to a computer's settings because network administrators often want to ensure consistency among computers.
There can be thousands of computers in a domain.
The computers can be on different local networks.
What happens when a computer is joined to a domain?
A computer account is created
A password is shared between the computer and the domain
Upon starting, Netlogon attempts to discover a DC for the domain in which its machine account exists
After locating the appropriate DC, the machine account password from the workstation is authenticated against the password on the DC
After the machine account is verified, the workstation establishes a secure channel with that DC.
Centralizes control of network resources
Centralizes and decentralizes resource management
Store objects securely in a logical structure
Optimizes network traffic
Logical Structure
Physical Structure
Objects
Organizational Units
Domains
Trees
Forests
Domain controller
Sites
Active Directory Partitions
To scale to tens of millions of objects, a forest is partitioned into domains.
Every domain controller contains the following directory partitions:
Configuration
Schema
Domain
Application
Contains the forest topology. Topology is a record of all domain controllers and the connections between them in a forest.
Contains the forest-wide schema
Contains replicas of all of the objects in that domain. The domain partition is replicated only to other domain controllers in the same domain.
F
lexible
S
ingle
M
aster
O
perations
Schema Master
Forest-wide Roles
Domain naming Master
Domain-wide Roles
Primary domain controller emulator (PDC)
Relative identifier master (RID)
Infrastructure Master
Effective Permissions
File Permissions override folder permissions
Allow permissions are cummulative
Deny Overrides Allow
Explicit permissions override inherited permissions
Access is often not determined by NTFS ACEs only
Effective Permissions
ACES have one of five possible states
Not Specified: Neither the allow nor Deny check box is selected.
Explicit Allow: The Allow check box is selected
Inherited Allow: The Allow check box is gray and selected
Explicit Deny: The Deny check box is selected
Inherited Deny: The Deny check box is gray and selected
Global Catalog????
The attributes that are most frequently used in queries, such as a user's first name, last name, and logon name.
The information that is necessary to determine the location of any object in the directory
The access permissions for each object and attribute
Global Catalog
Distinguished Names (DN)
CN=Rahul Gandhi,OU=Sales,DC=Nobrainer,DC=com
Rahul Gandhi
Relative Distinguished Names (RDN)
User Principal Name (UPN)
RahulG@nobrainer.com
Log-on Groups
INTERACTIVE
Includes all users that logged on to the console of the computer and via Terminal Services
NETWORK
Includes all users that logged on via the network
Built-in Groups and Users
Full transcript