Week 9 - Active Directory Domains and Trusts, Schema.pptx
Transcript
Week 9: Active Directory Domains and Trusts, Schema NTWK-8070: Windows Server Roles and Features This week… This week we will learn about: • Introduction to Domains and Trusts • Introduction to Trust Relationships • Forest Functionality Levels • The Schema Domains and Trusts– What are they? A...
Week 9: Active Directory Domains and Trusts, Schema NTWK-8070: Windows Server Roles and Features This week… This week we will learn about: • Introduction to Domains and Trusts • Introduction to Trust Relationships • Forest Functionality Levels • The Schema Domains and Trusts– What are they? A quick recap… Domain – Logical group of objects that share the same database (yourlastname.com) Tree – A collection of domains – i.e. sales.yourlastname.com. These are essentially “subdomains” Forest – is a collection of trees that share the same schema (more on that later) Domain in Detail We’ve covered off domains in detail, so this is a bit more of a recap. A domain is “network of objects” (such as User accounts, Computer Accounts, Groups – Security principals) that are registered to a central database. It is essentially a “common management zone that all objects are part of. Tree A tree is a collection of domains that share a namespace. For example, a tree typically contains subdomains – member domains of a main parent domain. YourLastname.com Sales.YourLastname.com Admin.YourLastname.com Forest A forest is a collection of trees that share a schema. YourLastname.com Sales.YourLastname.com Admin.YourLastname.com SergeT.Local Trust Teacher.SergeT.local Prof.SergeT.Local How Forests and Trees grow For this example, we are creating our first domain. When creating our first domain, you also create a forest, and a tree. Example: FirstDomain.local The initial forest/tree When we create the “FirstDomain.local” domain as our first domain, it also creates a tree. The only member of tree is our first domain. A forest is also created, which houses this first tree with our only domain. FirstDomain.local Domains, Trees, Forests and Trusts YourLastname.com Sales.YourLastname.com Admin.YourLastname.com SergeT.Local Trust Teacher.SergeT.local Prof.SergeT.Local Example.com Conestogac.on.ca Email.example.com Important: Forest Names The first domain that you deploy in an Active Directory forest is called the forest root domain. This domain remains the forest root domain for the life cycle of the AD DS deployment. The forest root domain contains the Enterprise Admins and Schema Admins groups. These service administrator groups are used to manage forest-level operations such as the addition and removal of domains and the implementation of changes to the schema. Important: Forest Names (con’t) The forest root domain name is also the name of the forest What about multiple forests? As you should now know, a Forest is the topmost logical container in a Directory. Trees in a forest, while can be separate domains still share some objects. One of the key items they share is access – meaning that members of one domain can, when configured, access resources on another domain, permissions permitting. Multiple Forests Multiple Forests are really the most “absolute” way to divide domains. A multi-forest model is complex, and involves a significant amount of overhead, however adds some benefits: • Autonomy (via segregating everything including the schema) • Segregation (limiting access to anyone outside of the forest) – That being said, a trust relationship can allow “certain limited” access to resources. Multiple Forest Example YourLastname.com Sales.YourLastname.com Admin.YourLastname.co m Trust SergeT.Local Teacher.SergeT.local YourLastname.com Prof.SergeT.Local Sales.YourLastname.com Admin.YourLastname.co m Trust SergeT.Local Teacher.SergeT.local Prof.SergeT.Local TRUST??? Example.com Conestogac.on.ca Example.com Conestogac.on.ca Email.example.com Email.example.com Trusts There are a number of trusts that exist. Trusts are simply a way for two domains to share information and/or resources. Trusts, in a nutshell, are ways to allow security principals to access resources that are outside their domain, be it in the same tree, forest, or in an another forest altogether. Classifying Trusts You can classify trusts based on: • Characteristics: – Transitive – Non-Transitive • Direction – One-way – Two-way Brief list of Trust Types • • • • • Parent-Child Tree-Root Forest Trusts Shortcut Trusts External Trusts (not discussed) Breaking down Trusts Transitivity Transitivity determines whether a trust can be extended outside of the two domains with which it was formed. – A transitive trust can be used to extend trust relationships with other domains. – A non-transitive trust can be used to deny trust relationships with other domains. – A transitive trust is a trust that is extended to each object that the is trusted – In contrast, a non-transitive trust extends only to one object (a 1:1 mapping) Each time you create a new domain in a forest, a two-way, transitive trust relationship is automatically created between the new domain and its parent domain. If child domains are added to the new domain, the trust path flows upward through the domain Direction Direction determines in what way a trust flows, and if there is reciprocity. • A two-way trust has both objects trust each other and allow sharing of objects bidirectionally. • A one-directional trust has trust flow one way, for example, a domain may simply trust another for authentication, but not allow access to any resources. Parent-Child trust Is a two-way transitive trust that is automatically established when a child is added. This can be a new domain added to a tree, or a new tree added to a forest. A tree-root trust is another type of parentchild trust that is automatically created between the newly added tree to all other trees in the forest. Parent-Child Trust Illustrated Yourlastname.local Parent-child trust Sales.yourlastname.local Parent-child trust admin.yourlastname.local Tree-Root Trust Illustrated Tree-Root trust Yourlastname.local Conestogac.on.ca Parent-child trust Sales.yourlastname.local admin.yourlastname.local Forest Trusts Forest trusts are transitive trusts that are either one-way or two-way and are manually created. Once created the trust allows all object of one forest (domains) trust another forest (domains) – hence being transitive. Forest Trust Illustrated Forest Trust Yourlastname.local Parent-child trust Sales.yourlastname.local Yourfirstname.local Parent-child trust admin.yourlastname.local Parent-child trust Sales.Yourfirstname.local Parent-child trust admin.Yourfirstname.local Shortcut trusts Are manually created one-way transitive trusts that directly allow for one domain to trust another domain across different forests, bypassing any other trust-paths (such as parent-child or forest trusts) It is typically used when the two domains do not directly trust each other (have no trustpath) Shortcut Trust Illustrated Tree-Root trust Yourlastname.local Conestogac.on.ca Parent-child trust Sales.yourlastname.local admin.yourlastname.local How to create/edit trusts Functionality Levels What are Functionality Levels? Functional levels determine the available Active Directory Domain Services (AD DS) domain or forest capabilities. They also determine which Windows Server operating systems you can run as domain controllers in the domain or forest. However, functional levels do not affect which operating systems you can run on workstations and member servers that are joined to the domain or forest. When you deploy AD DS, set the domain and forest functional levels to the highest value that your environment can support. This way, you can use as many AD DS features as possible. When you deploy a new forest, you are prompted to set the forest functional level and then set the domain functional level. You can set the domain functional level to a value that is higher than the forest functional level, but you cannot set the domain functional level to a value that is lower than the forest functional level. With the end of life of Windows Server 2003, 2008, and 2008 R2, these domain controllers (DCs) need to be updated to Windows Server 2012, 2012 R2, 2016, or 2019. As a result, any domain controller that runs Windows Server 2008 R2 and older should be removed from the domain. Functionality Levels of Forests and Domains When setting up domains and forests, you have the option of specifying a functionality level. The Functionality Levels are: • • • • • • • • Server 2000 Server 2003 Server 2008 Server 2008R2 Server 2012 Server 2012R2 Server 2016 There have been no new forest or domain functional levels added since Windows Server 2016. Later operating system versions can and should be used for domain controllers, however they use Windows Server 2016 as the most recent functional levels. Schema The Schema The Microsoft Active Directory schema contains formal definitions of every object class (i.e. User, Computer) that can be created in an Active Directory forest. The schema also contains formal definitions of every attribute (First Name, Last Name, etc) that can exist in an Active Directory object. What is the Schema Used For? Every object in Active Directory is created with a certain “blueprint”. A blueprint contains all the required attributes of the object. For example, a User object contains “sAMAccountName” is the login name of a user. This attribute is defined in the Schema. Editing the Schema As Active Directory is essentially a database, and the Schema governs the Database and all the objects (and structures) – it is entirely possible to add custom attributes to the Schema. This is done to “extend” an object, ether for custom application, or other reasons. For better or worse, Schema changes are permanent, and can’t be undone without significant effort (reverting to a backup, having to shut down all your servers in the process) When the Schema is updated The most frequently observed case for Schema changes is with the installation of Exchange Server (main server). The Exchange Server installation modifies the Schema to add a number of attributes that are mail-spefic. To do: Your lab this week will have you go over domains and trusts. At the end of this class, you will have time to watch some required preparation to get you familiar with Domains and Trusts. End of Lecture, Questions?
