Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

Microsoft Active Directory.pptx

Download as PPTX, PDF
M
masbulosoke

This document provides an overview of Active Directory (AD) in Windows Server 2019. It describes what AD is, when and why it is used, and how to configure and manage it. Key components of AD are discussed such as domains, organizational units, group policy, backups. AD services like certificate services, domain services, and federation services are also summarized. The document provides best practices for using group policy and designing the AD structure.

1 of 34
Mastering Active Directory Windows server 2019
TABLE OF CONTENTS What is active directory ? When we use active directory ? Why use active directory ? Configure and manage active directory
What is active directory ? Active Directory (AD) is Microsoft's proprietary directory service. It runs on Windows Server and enables administrators to manage permissions and access to network resources. Active Directory stores data as objects. An object is a single element, such as a user, group, application or device such as a printer. Objects are normally defined as either resources, such as printers or computers, or security principals, such as users or groups
When we use active directory ? – A lot of user – Need centralize management – If need policy to organize whole organization – Control network usage – When asset need to be control – When organization need to be collaboration
Why using active directory ? Active Directory simplifies life for administrators and end users while enhancing security for organizations. Administrators enjoy centralized user and rights management, as well as centralized control over computer and user configurations through the AD Group Policy feature.
Active directory licensing User CAL Device CAL When you decide to use per user licensing then you need to buy as many CALs as you have users in your domain. This case is better to use in case of having more computers/devices than users in your environemnt. The second case, per device licensing is better if you have more users than computers/devices. Then each device should have CAL bought.
Active Directory on Windows server 2019
Microsoft Active Directory.pptx
Active Directory Certificate Service Active Directory Certificate Services (AD CS) is one of the server roles introduced in Windows Server 2008 that provides users with customizable services for creating and managing Public Key Infrastructure (PKI) certificates, which can be used for encrypting and digitally signing electronic documents, emails, and messages. The applications supported by AD CS are secure wireless networks, Virtual Private Networks (VPN), Internet Protocol Security (IPSec), Network Access Protection (NAP), Encrypting File Systems (EFS), smart card logon, and more.
Active Directory Domain Service Active Directory Domain Services (AD DS) is a server role in Active Directory that allows admins to manage and store information about resources from a network, as well as application data, in a distributed database.
Active Directory Federation Service Active Directory Federation Services (AD FS) is a feature of the Windows Server operating system (OS) that extends end users' single sign-on (SSO) access to applications and systems outside the corporate firewall.
AD Lightweight Directory Service Active Directory Federation Services (AD FS) is a feature of the Windows Server operating system (OS) that extends end users' single sign-on (SSO) access to applications and systems outside the corporate firewall. Use Case: You need to provide authentication services for a Web application such as Microsoft Sharepoint portal Server in a perimeter network or extranet. AD LDS can query the internal AD DS structure through a firewall to obtain user account information and store it securely in the perimeter network. This avoids the need to deploy AD DS in the perimeter.
Different ADDS & ADLDS – Support multiple instances (one schema per instance) – Does not require DNS – No group policy support – No global catalog support – Cannot manage workstatios/server – Support different sites and replication but not with trust
AD Right Management Services AD RMS has its own set of tools to help organizations work with security technologies and manage the rights on an organization’s intellectual property (that includes email messages, Microsoft Office documents, project information, contacts, etc.). AD RMS integrates with existing Microsoft products and OS including Windows Server, Exchange Server, SharePoint Server, Microsoft Office Suite and Microsoft Azure.
Active Directory hierarchical structure
Active Directory Basic - DNS - LDAP - Schema - Global Catalog - FSMO Role
Domain Name System Active Directory Domain Services (AD DS) uses Domain Name System (DNS) name resolution services to make it possible for clients to locate domain controllers and for the domain controllers that host the directory service to communicate with each other.
AD & DNS
LDAP LDAP (Lightweight Directory Access Protocol) is a software protocol for enabling anyone to locate data about organizations, individuals and other resources such as files and devices in a network -- whether on the public Internet or on a corporate Intranet.
Active Directory Schema A schema is the definition of attributes and classes that are part of a distributed directory and is similar to fields and tables in a database. Schemas include a set of rules which determine the type and format of data that can be added or included in the database.
Forest-wide information about the Active Directory Structure Forest wide definitions and rules for creating and manipulating object and attributes Contain Information about domain-specific object created in active directory Contains application data ForestDNSZone DomainDNSZone
Global Catalog Object search Authentication Verifying membership Checking objects within the forest Exchange Address Book Search
FSMO (Flexibel single master operation) Role
FSMO Role manages the read-write copy of your Active Directory schema makes sure that you don’t create a second domain in the same forest with the same name as another assigns blocks of Security Identifiers (SID) to different DCs they can use for newly created objects. The PDC Emulator responds to authentication requests, changes passwords, and manages Group Policy Objects translates Globally Unique Identifiers (GUID), SIDs, and Distinguished Names (DN) between domains.
Active directory Component
Logical Component
Forest Functional Level & Domain Functional Level
Physical Component - RODC Read only domain controller An RODC is a new type of domain controller that hosts read- only partitions of the Active Directory database. Every Changes must be made on a writable domain controller and then replicated back to the RODC. An RODC is designed primarily to be deployed in remote or branch office environments, which typically have relatively few users, poor physical security, relatively poor network bandwidth to a hub site, and personnel with limited knowledge of information technology (IT).
Group Policy Group Policy is an integral feature built into Microsoft Active Directory. Its core purpose is to enable IT administrators to centrally manage users and computers across an AD domain. This includes both business users and privileged users like IT admins, and workstations, servers, domain controllers (DCs) and other machines.
Group Policy Best Practice Do not modify the Default Domain Policy and Default Domain Controller Policy Use the Default Domain Policy for account, account lockout, password and Kerberos policy settings only Create a well-designed organizational unit (OU) structure in Active Directory Having a good OU structure makes it easier to apply and troubleshoot Group Policy. Give GPOs descriptive names Policies for user accounts: U_<name of the policy> Policies for computer accounts: C_<name of the policy> Policies for computer and user accounts: CU_<name of the policy>
Group Policy Best Practice Do not set GPOs at the domain level Each Group Policy object that is set at the domain level will be applied to all user and computer objects. the only GPO that should be set at the domain level is the Default Domain Policy Apply GPOs at the OU root level Applying GPOs at the OU level will allow sub OUs to inherit these policies; you don’t need to link the policy to each sub OU.
Active Directory Backup System running 24x7 ‒ User and Computer ‒ Group and permission ‒ Group Policy Object ‒ Entire computer (Baremetal)
Active Directory Backup
CREDITS: This presentation template was created by Slidesgo, including icons by Flaticon, and infographics & images by Freepik THANKS

More Related Content

Microsoft Active Directory.pptx

  • 2. TABLE OF CONTENTS What is active directory ? When we use active directory ? Why use active directory ? Configure and manage active directory
  • 3. What is active directory ? Active Directory (AD) is Microsoft's proprietary directory service. It runs on Windows Server and enables administrators to manage permissions and access to network resources. Active Directory stores data as objects. An object is a single element, such as a user, group, application or device such as a printer. Objects are normally defined as either resources, such as printers or computers, or security principals, such as users or groups
  • 4. When we use active directory ? – A lot of user – Need centralize management – If need policy to organize whole organization – Control network usage – When asset need to be control – When organization need to be collaboration
  • 5. Why using active directory ? Active Directory simplifies life for administrators and end users while enhancing security for organizations. Administrators enjoy centralized user and rights management, as well as centralized control over computer and user configurations through the AD Group Policy feature.
  • 6. Active directory licensing User CAL Device CAL When you decide to use per user licensing then you need to buy as many CALs as you have users in your domain. This case is better to use in case of having more computers/devices than users in your environemnt. The second case, per device licensing is better if you have more users than computers/devices. Then each device should have CAL bought.
  • 7. Active Directory on Windows server 2019
  • 9. Active Directory Certificate Service Active Directory Certificate Services (AD CS) is one of the server roles introduced in Windows Server 2008 that provides users with customizable services for creating and managing Public Key Infrastructure (PKI) certificates, which can be used for encrypting and digitally signing electronic documents, emails, and messages. The applications supported by AD CS are secure wireless networks, Virtual Private Networks (VPN), Internet Protocol Security (IPSec), Network Access Protection (NAP), Encrypting File Systems (EFS), smart card logon, and more.
  • 10. Active Directory Domain Service Active Directory Domain Services (AD DS) is a server role in Active Directory that allows admins to manage and store information about resources from a network, as well as application data, in a distributed database.
  • 11. Active Directory Federation Service Active Directory Federation Services (AD FS) is a feature of the Windows Server operating system (OS) that extends end users' single sign-on (SSO) access to applications and systems outside the corporate firewall.
  • 12. AD Lightweight Directory Service Active Directory Federation Services (AD FS) is a feature of the Windows Server operating system (OS) that extends end users' single sign-on (SSO) access to applications and systems outside the corporate firewall. Use Case: You need to provide authentication services for a Web application such as Microsoft Sharepoint portal Server in a perimeter network or extranet. AD LDS can query the internal AD DS structure through a firewall to obtain user account information and store it securely in the perimeter network. This avoids the need to deploy AD DS in the perimeter.
  • 13. Different ADDS & ADLDS – Support multiple instances (one schema per instance) – Does not require DNS – No group policy support – No global catalog support – Cannot manage workstatios/server – Support different sites and replication but not with trust
  • 14. AD Right Management Services AD RMS has its own set of tools to help organizations work with security technologies and manage the rights on an organization’s intellectual property (that includes email messages, Microsoft Office documents, project information, contacts, etc.). AD RMS integrates with existing Microsoft products and OS including Windows Server, Exchange Server, SharePoint Server, Microsoft Office Suite and Microsoft Azure.
  • 16. Active Directory Basic - DNS - LDAP - Schema - Global Catalog - FSMO Role
  • 17. Domain Name System Active Directory Domain Services (AD DS) uses Domain Name System (DNS) name resolution services to make it possible for clients to locate domain controllers and for the domain controllers that host the directory service to communicate with each other.
  • 19. LDAP LDAP (Lightweight Directory Access Protocol) is a software protocol for enabling anyone to locate data about organizations, individuals and other resources such as files and devices in a network -- whether on the public Internet or on a corporate Intranet.
  • 20. Active Directory Schema A schema is the definition of attributes and classes that are part of a distributed directory and is similar to fields and tables in a database. Schemas include a set of rules which determine the type and format of data that can be added or included in the database.
  • 21. Forest-wide information about the Active Directory Structure Forest wide definitions and rules for creating and manipulating object and attributes Contain Information about domain-specific object created in active directory Contains application data ForestDNSZone DomainDNSZone
  • 22. Global Catalog Object search Authentication Verifying membership Checking objects within the forest Exchange Address Book Search
  • 23. FSMO (Flexibel single master operation) Role
  • 24. FSMO Role manages the read-write copy of your Active Directory schema makes sure that you don’t create a second domain in the same forest with the same name as another assigns blocks of Security Identifiers (SID) to different DCs they can use for newly created objects. The PDC Emulator responds to authentication requests, changes passwords, and manages Group Policy Objects translates Globally Unique Identifiers (GUID), SIDs, and Distinguished Names (DN) between domains.
  • 27. Forest Functional Level & Domain Functional Level
  • 28. Physical Component - RODC Read only domain controller An RODC is a new type of domain controller that hosts read- only partitions of the Active Directory database. Every Changes must be made on a writable domain controller and then replicated back to the RODC. An RODC is designed primarily to be deployed in remote or branch office environments, which typically have relatively few users, poor physical security, relatively poor network bandwidth to a hub site, and personnel with limited knowledge of information technology (IT).
  • 29. Group Policy Group Policy is an integral feature built into Microsoft Active Directory. Its core purpose is to enable IT administrators to centrally manage users and computers across an AD domain. This includes both business users and privileged users like IT admins, and workstations, servers, domain controllers (DCs) and other machines.
  • 30. Group Policy Best Practice Do not modify the Default Domain Policy and Default Domain Controller Policy Use the Default Domain Policy for account, account lockout, password and Kerberos policy settings only Create a well-designed organizational unit (OU) structure in Active Directory Having a good OU structure makes it easier to apply and troubleshoot Group Policy. Give GPOs descriptive names Policies for user accounts: U_<name of the policy> Policies for computer accounts: C_<name of the policy> Policies for computer and user accounts: CU_<name of the policy>
  • 31. Group Policy Best Practice Do not set GPOs at the domain level Each Group Policy object that is set at the domain level will be applied to all user and computer objects. the only GPO that should be set at the domain level is the Default Domain Policy Apply GPOs at the OU root level Applying GPOs at the OU level will allow sub OUs to inherit these policies; you don’t need to link the policy to each sub OU.
  • 32. Active Directory Backup System running 24x7 ‒ User and Computer ‒ Group and permission ‒ Group Policy Object ‒ Entire computer (Baremetal)
  • 34. CREDITS: This presentation template was created by Slidesgo, including icons by Flaticon, and infographics & images by Freepik THANKS

Editor's Notes

  1. For example, you Finance Manager copies a spreadsheet file containing the compensation packages of an organization’s executives from a protected folder on a file server to the Manager’s personal USB drive. During the commute home, the Manager leaves the USB drive on the train, where someone with no connection to the organization finds it. Without AD RMS, whoever finds the USB drive can open the file. With AD RMS, it is possible to ensure that the file cannot be opened by unauthorized users. For example, you can configure standard templates that grant view-only rights, block the ability to edit, save, and print, or if used with Exchange Server, block the ability to forward or reply to messages.
  2. LDAP provides the communication language that applications use to communicate with other directory services servers. Directory services store the users, passwords, and computer accounts, and share that information with other entities on the network. Active Directory is a database based system that provides authentication, directory, policy, and other services in a Windows environment LDAP (Lightweight Directory Access Protocol) is an application protocol for querying and modifying items in directory service providers like Active Directory, which supports a form of LDAP. Short answer: AD is a directory services database, and LDAP is one of the protocols you can use to talk to it.
  3. Schema stored in its own partition in the directoru. Schema replicated among all the domain controller in the forest, and any change that is made to the schema is replicated to every domain controller in the forest. Because the schema dictates how information is stored, and because any changes that are made to the schema affect every domain controller, change to the schema should be made only when necessary . So carefully
  4. Child domain shares the same Domain naming master & schema master role & it inherits namespace of parent domain. In child domain, you don't have Enterprise admin account, it exists in parent domain only for most of the configuration. trust between parent & child is Parent-child two way transitive trust.Like Parent is ABC.com, the child domain will be XYZ.ABC.com If you don't want to inherit parent domain name, you use new tree in the forest like parent is ABC & you can have new tree as XYZ.com.Tree root domain have their own Enterprise admin group to manage their own AD