agenda
DESCRIPTION
Windows 2000: Concepts & Deployment Larry Lieberman NT Support Engineer Premier Enterprise Support Microsoft Corporation. Agenda. Active Directory Microsoft DNS Distributed Security System Management. Active Directory. Architecture Components Planning AD Design. AD Architecture. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/1.jpg)
Windows 2000: Windows 2000: Concepts & DeploymentConcepts & Deployment
Larry LiebermanLarry LiebermanNT Support EngineerNT Support EngineerPremier Enterprise SupportPremier Enterprise SupportMicrosoft CorporationMicrosoft Corporation
![Page 2: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/2.jpg)
AgendaAgenda
Active DirectoryActive Directory Microsoft DNSMicrosoft DNS Distributed SecurityDistributed Security System ManagementSystem Management
![Page 3: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/3.jpg)
Active DirectoryActive Directory
ArchitectureArchitecture ComponentsComponents Planning AD DesignPlanning AD Design
![Page 4: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/4.jpg)
AD ArchitectureAD Architecture
X.500 X.500 derived data modelderived data model Directory stored schemaDirectory stored schema Windows 2000 Trusted Computing Windows 2000 Trusted Computing
Base Base security modelsecurity model Delegated Delegated Administration ModelAdministration Model DNS integrationDNS integration
![Page 5: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/5.jpg)
AD Components (1/10)AD Components (1/10)
ObjectsObjects Organizational Units (OUs)Organizational Units (OUs) DomainsDomains SitesSites Trees & ForestsTrees & Forests Global CatalogGlobal Catalog
![Page 6: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/6.jpg)
AD Components (2/10)AD Components (2/10)ObjectsObjects
ObjectObjectClassClass
ObjectObjectClassClass
Attributes
Defined in the schemaDefined in the schema
Data storage is allocated as necessaryData storage is allocated as necessary
DirectoryDirectoryObjectObject
DirectoryDirectoryObjectObject
An object instanceAn object instanceis created in theis created in theDirectoryDirectory
![Page 7: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/7.jpg)
AD Components (3/10)AD Components (3/10)Object AccessObject Access
Access to directory objects is Access to directory objects is controlled via Access Control Lists controlled via Access Control Lists (ACLs)(ACLs)
DirectoryObject
DirectoryObject
Fine granularity is provided by Access Fine granularity is provided by Access Control Entries (ACEs) that apply to Control Entries (ACEs) that apply to specific attributes specific attributes
ACL
Sales Managersread access
Sales Managersread access
ACE
ACEs can apply to specific attributes
![Page 8: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/8.jpg)
AD Components (4/10)AD Components (4/10)Organizing the DirectoryOrganizing the Directory A hierarchy of objects can be created A hierarchy of objects can be created
using Organizational Units (OUs)using Organizational Units (OUs) Although OUs are the primary containers Although OUs are the primary containers
used to create the hierarchy, all directory used to create the hierarchy, all directory objects are potential containersobjects are potential containers
ou ou
ou ou
ouou
Deep or flat structure?
ouou ouou
![Page 9: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/9.jpg)
AD Components (5/10)AD Components (5/10)OUsOUs
OU security provides the mechanism OU security provides the mechanism for controlling object visibility and for controlling object visibility and delegating administrationdelegating administration
OUOU
ACL
Sales Managersread access
Sales Managersread access
ACLACLUK User Admins
Create Users
UK User AdminsCreate Users
ACLACL Location1 AdminsReset passwords
Location1 AdminsReset passwords
ACL
UK UsersRead Volume objects
UK UsersRead Volume objects
Inheritable ACLs
![Page 10: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/10.jpg)
AD Components (6/10)AD Components (6/10)DomainsDomains
One or more domain controllersOne or more domain controllers
SitesDomain directory
Directoryhosted on all DCs
Multi-master replicationMulti-master replication One or more sitesOne or more sites
Configuration
Schema
![Page 11: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/11.jpg)
AD Components (7/10)AD Components (7/10)SitesSites
Controls Active Directory replicationControls Active Directory replication
Schedule Inter-site replication
Intra-site replicationautomatically configured
One or moresubnets
One or moresubnets
Site knowledge usedSite knowledge used Logon locatorLogon locator Printer locator and prunerPrinter locator and pruner Dfs and moreDfs and more
![Page 12: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/12.jpg)
AD Components (8/10)AD Components (8/10)Trees And ForestsTrees And Forests
Configuration and schema common Configuration and schema common to all domains to all domains
Transitive trusts link domainsTransitive trusts link domains
![Page 13: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/13.jpg)
AD Components (9/10)AD Components (9/10)Boundaries Boundaries
ReplicationReplication AdministrationAdministration Security PolicySecurity Policy Group PolicyGroup Policy
![Page 14: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/14.jpg)
AD Components (10/10)AD Components (10/10)Global CatalogGlobal Catalog
Enterprise wide searchesEnterprise wide searches Resolves enterprise queriesResolves enterprise queries
GCPartial replica of all domain objectsHosted on one or more DCs
![Page 15: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/15.jpg)
Planning AD Design (1/6)Planning AD Design (1/6)ConsiderationsConsiderations Defining a logical hierarchy of Defining a logical hierarchy of
resources resources Administrative architecturesAdministrative architectures Allocation of physical resources Allocation of physical resources
and budgetand budget Current infrastructure and Current infrastructure and
upgrade strategiesupgrade strategies Data availability requirementsData availability requirements Network bandwidth Network bandwidth PoliticsPolitics
![Page 16: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/16.jpg)
Planning AD Design (2/6) Planning AD Design (2/6) One Or More ForestsOne Or More Forests All domains in a forest share a All domains in a forest share a
common schema and global catalogcommon schema and global catalog Create multiple forests if:Create multiple forests if:
Separate schemas are requiredSeparate schemas are required One or more domains are required to be One or more domains are required to be
isolated from the spanning tree of isolated from the spanning tree of transitive truststransitive trusts
Total administrative autonomy is Total administrative autonomy is required required
![Page 17: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/17.jpg)
Planning AD Design (3/6)Planning AD Design (3/6)Domain StructureDomain Structure Where possible use a single domainWhere possible use a single domain
Use OUs to delegate administrationUse OUs to delegate administration Use sites to tune replicationUse sites to tune replication
Use multiple domains when there is a Use multiple domains when there is a requirement for requirement for Scalability across WANsScalability across WANs Autonomous administrative entitiesAutonomous administrative entities Different security account policiesDifferent security account policies
password, lockout and Kerberos ticketpassword, lockout and Kerberos ticket
![Page 18: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/18.jpg)
Planning AD Design (4/6)Planning AD Design (4/6)Multiple Domains(1/3)Multiple Domains(1/3) Containment of network trafficContainment of network traffic
Directory replicationDirectory replication Policies (FRS)Policies (FRS)
In-place upgrades from In-place upgrades from Windows NT domainsWindows NT domains Autonomous divisions with Autonomous divisions with
separate namesseparate names No technical reasons, only politicsNo technical reasons, only politics Names are not importantNames are not important
![Page 19: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/19.jpg)
Each domain has an incremental Each domain has an incremental overheadoverhead Increased administrationIncreased administration Increased hardwareIncreased hardware
Separate DCs are required for Separate DCs are required for each domaineach domain
Try to avoid creating divisional or Try to avoid creating divisional or departmental domains for purely departmental domains for purely political reasonspolitical reasons Change is inevitable, they are Change is inevitable, they are
easy to create and hard to retire easy to create and hard to retire
Planning AD Design (5/6)Planning AD Design (5/6)Multiple Domains(2/3)Multiple Domains(2/3)
![Page 20: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/20.jpg)
Separate the production forest from Separate the production forest from development and testingdevelopment and testing Prevents unwanted schema changes Prevents unwanted schema changes
propagating through the enterprisepropagating through the enterprise
Create a separate forest to restrict Create a separate forest to restrict access for business partnersaccess for business partners
Planning AD Design (6/6)Planning AD Design (6/6)Multiple Domains(3/3)Multiple Domains(3/3)
![Page 21: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/21.jpg)
Microsoft DNSMicrosoft DNS
Windows 2000 DNS RequirementsWindows 2000 DNS Requirements MS DNS FeaturesMS DNS Features DNS DesignDNS Design
![Page 22: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/22.jpg)
DNS RequirementsDNS Requirements
A DNS server that is authoritative for a A DNS server that is authoritative for a Windows 2000 domain MUST support Windows 2000 domain MUST support SRV records (RFC 2052)SRV records (RFC 2052)
It also should support dynamic It also should support dynamic updates (RFC 2136)updates (RFC 2136) The NETLOGON service on the domain The NETLOGON service on the domain
controller automatically registers all of controller automatically registers all of the domain services and the site that it the domain services and the site that it supports supports
![Page 23: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/23.jpg)
MS DNS Features (1/12)MS DNS Features (1/12)
Active Directory integrationActive Directory integration Dynamic UpdateDynamic Update AgingAging Administrative toolsAdministrative tools Caching resolverCaching resolver
![Page 24: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/24.jpg)
MS DNS Features (2/12) MS DNS Features (2/12) Active Directory IntegrationActive Directory Integration
AD-integrated DNS zone AD-integrated DNS zone is multi-masteris multi-master
![Page 25: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/25.jpg)
1) Receive 1) Receive updateupdate
3) ADS replicates3) ADS replicates
4) Read from 4) Read from ADSADS2) Write to ADS2) Write to ADS
ADSADSDNSDNS
ADSADSDNSDNS
““Primary” zonesPrimary” zones
MS DNS Features (3/12) MS DNS Features (3/12) Active Directory integrationActive Directory integration
![Page 26: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/26.jpg)
MS DNS Features (4/12) MS DNS Features (4/12) Active Directory integrationActive Directory integration
AD-integrated DNS zone AD-integrated DNS zone is multi-masteris multi-master High availability of write, as well as readHigh availability of write, as well as read Doesn’t require separate from Doesn’t require separate from
AD replicationAD replication
![Page 27: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/27.jpg)
MS DNS Features (5/12) MS DNS Features (5/12) Active Directory integrationActive Directory integration
ADS replication is loosely consistentADS replication is loosely consistent Name-level collisionName-level collision
Two hosts create same name Two hosts create same name simultaneously (first writer wins)simultaneously (first writer wins)
Attribute-level collisionAttribute-level collision Two hosts modify A RRset for Two hosts modify A RRset for
microsoft.com simultaneously (last-microsoft.com simultaneously (last-writer wins)writer wins)
![Page 28: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/28.jpg)
MS DNS Features (6/12) MS DNS Features (6/12) Dynamic UpdateDynamic Update
Based on RFC 2136Based on RFC 2136 Client discovers primary server for the Client discovers primary server for the
zone where the record should be zone where the record should be added/deletedadded/deleted
Client sends a dynamic update Client sends a dynamic update package to the primary serverpackage to the primary server
Primary server processes the updatePrimary server processes the update
![Page 29: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/29.jpg)
MS DNS Features (7/12) MS DNS Features (7/12) Dynamic UpdateDynamic Update
Windows 2000 computer registersWindows 2000 computer registers A RR with:A RR with:
Hostname.PrimaryDnsSuffix Hostname.PrimaryDnsSuffix (default)(default) and and
Hostname.AdapterSpecificDnsSuffix Hostname.AdapterSpecificDnsSuffix (if configured)(if configured)
PTR RR if adapter is not DHCP PTR RR if adapter is not DHCP configured or DHCP server doesn’t configured or DHCP server doesn’t support DNS RR registrationsupport DNS RR registration
![Page 30: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/30.jpg)
MS DNS Features (8/12) MS DNS Features (8/12) Dynamic UpdateDynamic Update
Windows 2000 DHCP server registers Windows 2000 DHCP server registers (based on draft-ietf-dhc-dhcp-dns-*.txt)(based on draft-ietf-dhc-dhcp-dns-*.txt) PTR records on behalf of upgraded PTR records on behalf of upgraded
clients (default)clients (default) A and PTR records on behalf of downlevel A and PTR records on behalf of downlevel
clients (default)clients (default) A and PTR records on behalf of upgraded A and PTR records on behalf of upgraded
clients (if configured)clients (if configured)
Windows 2000 DHCP server removes Windows 2000 DHCP server removes records that it registered upon records that it registered upon lease expirationlease expiration
![Page 31: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/31.jpg)
MS DNS Features (9/12) MS DNS Features (9/12) Secure Dynamic UpdateSecure Dynamic Update
Based on draft-skwan-gss-tsig-04.txtBased on draft-skwan-gss-tsig-04.txt Available only on AD-integrated zonesAvailable only on AD-integrated zones Per -zone and -name granularityPer -zone and -name granularity ACL on each zone and nameACL on each zone and name
![Page 32: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/32.jpg)
MS DNS Features (10/12) MS DNS Features (10/12) Aging/ScavengingAging/Scavenging
Enables deletion of the stale records Enables deletion of the stale records in AD-integrated zonesin AD-integrated zones
Requires periodic refreshes Requires periodic refreshes of the recordsof the records
![Page 33: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/33.jpg)
MS DNS Features (12/12) MS DNS Features (12/12) Caching ResolverCaching Resolver
Windows 2000 serviceWindows 2000 service Caches RRs according to TTLCaches RRs according to TTL Negative cachingNegative caching Tracks transient/PnP adaptersTracks transient/PnP adapters Reorders servers according Reorders servers according
to responsivenessto responsiveness
Fewer round-trips, fewer timeouts, Fewer round-trips, fewer timeouts, faster response timefaster response time
![Page 34: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/34.jpg)
DNS Design (1/11)DNS Design (1/11)To support DC locatorTo support DC locator
DNS server authoritative for the DC DNS server authoritative for the DC records MUST support SRV RRsrecords MUST support SRV RRs
Support for Dynamic Updates Support for Dynamic Updates is recommendedis recommended
![Page 35: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/35.jpg)
DNS Design (2/11)DNS Design (2/11)
Delegate a DNS zone for each AD Delegate a DNS zone for each AD domain to the DNS servers running domain to the DNS servers running on the DCs in that AD domainon the DCs in that AD domain
![Page 36: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/36.jpg)
DNS Design (3/11)DNS Design (3/11)
corp.example.comcorp.example.com
Zones:Zones:Primary AD-int “corp.example.com”Primary AD-int “corp.example.com”
![Page 37: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/37.jpg)
DNS Design (4/11)DNS Design (4/11)corp.example.comcorp.example.com
Domain1.corp.example.comDomain1.corp.example.com
Zones:Zones:Primary AD-int “Domain1.corp.example.com”Primary AD-int “Domain1.corp.example.com”
Zones:Zones:Primary AD-int “corp.example.com”Primary AD-int “corp.example.com”
![Page 38: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/38.jpg)
DNS Design (5/11)DNS Design (5/11)
Delegate a DNS zone for each AD Delegate a DNS zone for each AD domain to the DNS servers running domain to the DNS servers running on a DC in that AD domainon a DC in that AD domain
Install a DNS server on at least two Install a DNS server on at least two DCs in each AD domain and one DC DCs in each AD domain and one DC in each sitein each site
![Page 39: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/39.jpg)
DNS Design (6/11)DNS Design (6/11)corp.example.comcorp.example.com
Domain1.corp.example.comDomain1.corp.example.com
Site1Site1 Site2Site2 Site3Site3
Zones:Zones:Primary AD-int “Domain1.corp.example.com”Primary AD-int “Domain1.corp.example.com”
Zones:Zones:Primary AD-int “corp.example.com”Primary AD-int “corp.example.com”
![Page 40: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/40.jpg)
DNS Design (7/11)DNS Design (7/11)
Delegate a DNS zone for each AD Delegate a DNS zone for each AD domain to the DNS servers running domain to the DNS servers running on a DC in that AD domainon a DC in that AD domain
Install a DNS server on at least two Install a DNS server on at least two DCs in each AD domain and one DC DCs in each AD domain and one DC in each sitein each site
If different sites in the forest are If different sites in the forest are connected over slow link, delegate the connected over slow link, delegate the zone “_msdcs.<ForestName>” and zone “_msdcs.<ForestName>” and make at least one DNS server in every make at least one DNS server in every site secondary for this zonesite secondary for this zone
![Page 41: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/41.jpg)
DNS Design (8/11)DNS Design (8/11)corp.example.comcorp.example.com
Domain1.corp.example.comDomain1.corp.example.com
Site1Site1 Site2Site2 Site3Site3
Zones:Zones:Primary AD-int “Domain1.corp.example.com”Primary AD-int “Domain1.corp.example.com”Secondary “_msdcs.corp.example.com.”Secondary “_msdcs.corp.example.com.”
Zones:Zones:Primary AD-int “corp.example.com”Primary AD-int “corp.example.com”Primary AD-int “_msdcs.corp.example.com.”Primary AD-int “_msdcs.corp.example.com.”
![Page 42: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/42.jpg)
DNS Design (9/11)DNS Design (9/11)
Install a DNS server on at least two DCs Install a DNS server on at least two DCs in each AD domain and one DC in each sitein each AD domain and one DC in each site
Delegate a DNS zone for each AD domain Delegate a DNS zone for each AD domain to the DNS servers running on a DC in that to the DNS servers running on a DC in that AD domainAD domain
If different domains of the forest are If different domains of the forest are connected over slow links, delegate the connected over slow links, delegate the zone _msdcs.<ForestName> and make zone _msdcs.<ForestName> and make at least one DNS server in every site at least one DNS server in every site secondary for this zonesecondary for this zone
Each client should be configured to query Each client should be configured to query at least two DNS servers one of which is at least two DNS servers one of which is in the same sitein the same site
![Page 43: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/43.jpg)
DNS Design (10/11)DNS Design (10/11)corp.example.comcorp.example.com
Domain1.corp.example.comDomain1.corp.example.com
Site1Site1 Site2Site2 Site3Site3
Zones:Zones:Primary AD-int “Domain1.corp.example.com”Primary AD-int “Domain1.corp.example.com”Secondary “_msdcs.corp.example.com.”Secondary “_msdcs.corp.example.com.”
Zones:Zones:Primary AD-int “corp.example.com”Primary AD-int “corp.example.com”Primary AD-int “_msdcs.corp.example.com.”Primary AD-int “_msdcs.corp.example.com.”
![Page 44: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/44.jpg)
DNS Design (11/11)DNS Design (11/11)Hardware planningHardware planning
Memory usageMemory usage No zones loadedNo zones loaded ~4 MB~4 MB Each record requires Each record requires ~100 bytes~100 bytes
PerformancePerformance Alpha 533 MHz dual-processor with 25% Alpha 533 MHz dual-processor with 25%
Processor utilizationProcessor utilization 1600 queries and 200 dynupd/second1600 queries and 200 dynupd/second
Intel P-II 400 MHz dual-processor with Intel P-II 400 MHz dual-processor with 30% Processor utilization30% Processor utilization 900 queries and 100 dynupd/second900 queries and 100 dynupd/second
![Page 45: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/45.jpg)
Security TopicsSecurity Topics
Kerberos Integration with Windows NTKerberos Integration with Windows NT Security Provider ArchitectureSecurity Provider Architecture Public Key Security ComponentsPublic Key Security Components Smart card logon and authenticationSmart card logon and authentication Encrypting File SystemEncrypting File System Security Policies and Domain TrustSecurity Policies and Domain Trust Secure Windows NT ConfigurationSecure Windows NT Configuration
![Page 46: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/46.jpg)
Security GoalsSecurity Goals
Single enterprise logonSingle enterprise logon Integrated security services with Integrated security services with
Windows NT Directory ServiceWindows NT Directory Service Delegated administrationDelegated administration
and scalability for large domainsand scalability for large domains Strong networkStrong network
authentication protocolsauthentication protocols Standard protocols for interoperability Standard protocols for interoperability
of authenticationof authentication
![Page 47: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/47.jpg)
Authentication/ Authentication/ AuthorizationAuthorization Authenticate using domain credentialsAuthenticate using domain credentials
User account defined in Active DirectoryUser account defined in Active Directory
Authorization based on group Authorization based on group membershipmembership Centralize management of access rightsCentralize management of access rights
Distributed security tied to the Distributed security tied to the Windows NT Security ModelWindows NT Security Model Network services use impersonationNetwork services use impersonation Object-based access control listsObject-based access control lists
![Page 48: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/48.jpg)
One Security Model: One Security Model: Multiple Security ProtocolsMultiple Security Protocols
Shared key protocolsShared key protocols Windows NTLM authentication: Windows NTLM authentication:
compatibility in mixed domainscompatibility in mixed domains Kerberos V5 for enterprise networksKerberos V5 for enterprise networks
Public key certificate protocolsPublic key certificate protocols Secure Sockets Layer (SSL) / Secure Sockets Layer (SSL) /
Transport Layer Security (TLS)Transport Layer Security (TLS) IP SecurityIP Security
Multiple forms of credentials in the Multiple forms of credentials in the Active DirectoryActive Directory
![Page 49: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/49.jpg)
1.1. NTLM challenge/responseNTLM challenge/response
Application server Application server
Windows NT domain controllerWindows NT domain controller
MSV1_0MSV1_0
NetlogonNetlogon
NTLM AuthenticationNTLM Authentication
4. Server4. Server impersonates impersonates client client
2.2. Uses LSA Uses LSA to log onto log onto domainto domain
3.3. NetlogonNetlogonservice returnsservice returnsuser and groupuser and groupSIDs from domainSIDs from domaincontrollercontroller
Windows NTWindows NTDirectory ServiceDirectory Service
![Page 50: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/50.jpg)
Kerberos IntegrationKerberos Integration
KDC relies on the KDC relies on the Active Directory as Active Directory as the store for security the store for security principals and policyprincipals and policy
Kerberos SSPI providerKerberos SSPI providermanages credentials andmanages credentials andsecurity context;security context;LSA manages ticket cacheLSA manages ticket cache
Server Server
Session ticket Session ticket authorization authorization data supports data supports NT access NT access control modelcontrol model
ClientClient
Windows NTWindows NTDirectory ServerDirectory Server
Key DistributionKey DistributionCenter (KDC)Center (KDC)
Windows NT Domain ControllerWindows NT Domain Controller
![Page 51: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/51.jpg)
Kerberos Protocol Kerberos Protocol AdvantagesAdvantages Faster connection authenticationFaster connection authentication
Server scalability for high-volume connectionsServer scalability for high-volume connections Reuse session tickets from cacheReuse session tickets from cache
Mutual authentication of both client, serverMutual authentication of both client, server Delegation of authentication Delegation of authentication
Impersonation in three-tier Impersonation in three-tier client/server architecturesclient/server architectures
Transitive trust between domainsTransitive trust between domains Simplify inter-domain trust managementSimplify inter-domain trust management
Mature IETF standard for interoperabilityMature IETF standard for interoperability Testing with MIT Kerberos V5 ReleaseTesting with MIT Kerberos V5 Release
![Page 52: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/52.jpg)
Kerberos Unix Kerberos Unix InteroperabilityInteroperability Based on Kerberos V5 ProtocolBased on Kerberos V5 Protocol
RFC 1510 and RFC 1964 token format RFC 1510 and RFC 1964 token format Testing with MIT Kerb V5 ReleaseTesting with MIT Kerb V5 Release
Windows NT DS hosts the KDCWindows NT DS hosts the KDC UNIX clients to Unix ServersUNIX clients to Unix Servers UNIX clients to NT ServersUNIX clients to NT Servers NT clients to UNIX ServersNT clients to UNIX Servers
Simple cross-realm authenticationSimple cross-realm authentication UNIX realm to NT domainUNIX realm to NT domain
![Page 53: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/53.jpg)
Application Server (target)Application Server (target)
3.3. Verifies session Verifies session
ticket issuedticket issuedby KDCby KDC
Kerberos AuthKerberos AuthNetwork Server connectionNetwork Server connection
Windows NTWindows NTDirectory ServerDirectory Server
Key DistributionKey DistributionCenter (KDC)Center (KDC)
Windows NT domain controllerWindows NT domain controller
1.1. Send TGTSend TGTand request and request session session ticket from KDC ticket from KDC for target serverfor target server
TGTTGT
2.2. Present session ticketPresent session ticketat connection setupat connection setup
TargetTarget
![Page 54: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/54.jpg)
TargetTarget Auth data:Auth data: User SIDUser SID Group SIDsGroup SIDs PrivilegesPrivileges
KerberosKerberos
LSALSA
Session Session ticketticket
Server applicationServer application
Building An Building An Access Token with Kv5Access Token with Kv5 Kerberos package Kerberos package
gets auth data gets auth data from session from session ticketticket
Impersonation Impersonation tokentoken
TokenToken LSA buildsLSA buildsaccess token for access token for security contextsecurity context
Server thread Server thread impersonates impersonates client contextclient context
![Page 55: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/55.jpg)
Remote File Access Remote File Access CheckCheck
RdrRdrServerServer
Kerberos Kerberos SSPSSP
Kerberos Kerberos SSPSSP
File File applicationapplication
SMB protocolSMB protocol
NTFSNTFS
SSPISSPI
\\infosrv\share\\infosrv\share
FileFile
TokenToken
KDCKDC
TicketTicket
AccessAccesscheckcheck
SDSD
TokenToken
ClientClient
![Page 56: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/56.jpg)
Secure RPCSecure RPC HTTPHTTP
SSPISSPI
Internet Explorer,Internet Explorer,
Internet InformationInternet InformationServerServer
NTLMNTLM KerberosKerberos SChannelSChannelSSL/TLSSSL/TLS
MSV1_0/MSV1_0/ SAM SAM KDC/DSKDC/DS
DCOM DCOM applicationapplication
DPADPA
MembershipMembershipservicesservices
POP3, NNTPPOP3, NNTP
Mail, Mail, Chat, Chat, NewsNews
CIFS/SMBCIFS/SMB
Remote Remote filefile
Architecture For Architecture For Multiple Authentication Multiple Authentication ServicesServices
LDAPLDAP
DirectoryDirectoryenabled appsenabled appsusing ADSIusing ADSI
![Page 57: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/57.jpg)
Windows NT 4.0 - 5.0 Windows NT 4.0 - 5.0 InteroperabilityInteroperability
Windows NT 4.0 clients and serversWindows NT 4.0 clients and servers Use NTLM authenticationUse NTLM authentication
Windows NT 5.0 clientsWindows NT 5.0 clients Locate NT 5.0 Active Directory and KDCLocate NT 5.0 Active Directory and KDC Support smart card logonSupport smart card logon Use Kerberos or NTLM protocol Use Kerberos or NTLM protocol
Windows NT 5.0 ServersWindows NT 5.0 Servers Accept both NTLM or Kerberos protocolAccept both NTLM or Kerberos protocol
![Page 58: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/58.jpg)
Public Key ComponentsPublic Key ComponentsX.509 and PKCS StandardsX.509 and PKCS Standards
Windows NT Windows NT Directory ServerDirectory Server
Certificate Certificate ServerServer
For clientsFor clients User key and User key and
certificate mgmtcertificate mgmt Secure channelSecure channel Secure storageSecure storage Auto enrollmentAuto enrollment
For serversFor servers Key and certificate Key and certificate
managementmanagement Secure channelSecure channel Client authenticationClient authentication Auto enrollmentAuto enrollment
EnterpriseEnterprise Certificate Certificate
servicesservices Trust policyTrust policy
![Page 59: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/59.jpg)
Crypto API ArchitectureCrypto API Architecture
Crypto API 1.0Crypto API 1.0
RSA baseRSA baseCSPCSP
FortezzaFortezzaCSPCSP
Application Application
SmartCard SmartCard CSPCSP
CryptographicCryptographicService ProvidersService Providers
Certificate management servicesCertificate management services
Secure channelSecure channel
KeyKeydatabasedatabase
CertificateCertificatestorestore
![Page 60: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/60.jpg)
SSL Client AuthenticationSSL Client AuthenticationIntegrated Security AdministrationIntegrated Security Administration
Strong authentication using X.509 Strong authentication using X.509 certificatescertificates Single user ID for multiple protocolsSingle user ID for multiple protocols
Security account managementSecurity account management Use existing infrastructure: ccount Use existing infrastructure: ccount
admin and access controladmin and access control
Accept third-party X.509 certificates Accept third-party X.509 certificates from trusted Certificate Authoritiesfrom trusted Certificate Authorities
Inter-business authenticationInter-business authentication
![Page 61: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/61.jpg)
SSL Client AuthenticationSSL Client Authentication
SChannel SSPSChannel SSP
Client certificateClient certificate
Œ
ServerServer
Certificate StoreCertificate Storeof Trusted CAsof Trusted CAs
AuthenticationAuthenticationserviceservice
DomainDomain
Org (OU)Org (OU)
UsersUsers
2. Locate user object in directory by subject name2. Locate user object in directory by subject name
Access tokenAccess token
Ž
3. Build NT access token based on group membership 3. Build NT access token based on group membership
1. Verify user certificate based on trusted CA, CRL1. Verify user certificate based on trusted CA, CRL
Server Server resourcesresources
ACLACL
4. Impersonate client, object access verification4. Impersonate client, object access verification
![Page 62: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/62.jpg)
Internet Explorer 4.0Internet Explorer 4.0
ReaderReader
Crypto APICrypto API
SmartCard SmartCard CSPCSP
ReaderReaderdriverdriver
Secure channelSecure channel
SSPISSPI
Client AuthenticationClient AuthenticationUsing SmartCardsUsing SmartCards Secure channel between Secure channel between
Internet Explorer and Internet Explorer and Internet Information Internet Information ServerServer
Keys and certificates Keys and certificates managed by managed by Crypto APICrypto API
SmartCard CSP gets SmartCard CSP gets certificate and protocol certificate and protocol signature from cardsignature from card
ICCICC
![Page 63: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/63.jpg)
Smart Card LogonSmart Card Logon
Private key and Private key and certificate on cardcertificate on card
Public key domain Public key domain authenticationauthentication
PK KerberosPK Kerberos
ProfileProfile
CertsCerts KeysKeys
Internet ExplorerInternet Explorer User profile for User profile for
other keys and other keys and certificatescertificates
RAS supportRAS support
Domain credentialsDomain credentials Obtain Kerberos Obtain Kerberos
TGT and NTLM TGT and NTLM credentialscredentials
TGTTGT
![Page 64: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/64.jpg)
Management Of TrustManagement Of Trust
Trust policy decisionsTrust policy decisions What CAs are trusted?What CAs are trusted? What are they trusted for? What are they trusted for?
Client Authentication, Client Authentication, Server Authentication, Server Authentication, AuthenticodeAuthenticode
Trust determination made locallyTrust determination made locally Certificate path verificationCertificate path verification
Configure trust policy centrallyConfigure trust policy centrally Define trust policy in Policy EditorDefine trust policy in Policy Editor
Signed by an authorized userSigned by an authorized user
![Page 65: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/65.jpg)
Encrypting File System Encrypting File System Privacy of data that goes beyond Privacy of data that goes beyond
access controlaccess control Protect confidential data on laptops Protect confidential data on laptops Configurable approach to data recoveryConfigurable approach to data recovery
Integrated with core operating Integrated with core operating system components system components Windows NT File System - NTFSWindows NT File System - NTFS Crypto API key managementCrypto API key management LSA security policyLSA security policy
Transparent and very high Transparent and very high performanceperformance
![Page 66: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/66.jpg)
Crypto APICrypto API
I/O managerI/O manager
EFS.sysEFS.sys
NTFSNTFS
User modeUser mode
Kernel modeKernel mode
Win32 layerWin32 layer
ApplicationsApplications
LPC communicationLPC communicationfor all key for all key management supportmanagement support
FSRTL calloutsFSRTL callouts
Encrypted on-disk data storageEncrypted on-disk data storage
EFSEFSserviceservice
EFS ArchitectureEFS Architecture
![Page 67: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/67.jpg)
RNGRNG
Data decryptionData decryptionfield generationfield generation
(e.g., RSA)(e.g., RSA)
Data recoveryData recoveryfield generationfield generation
(e.g., RSA)(e.g., RSA)
DDFDDF
DRFDRF
User’sUser’spublicpublic key key
Recovery agent’sRecovery agent’spublicpublic key keyin recovery policyin recovery policy
Randomly-Randomly-generatedgeneratedfile encryption keyfile encryption key
File EncryptionFile Encryption
File decryptionFile decryption(e.g., DES)(e.g., DES)
A quickA quick brown fox brown foxjumped...jumped...
*#$fjda^j*#$fjda^ju539!3tu539!3tt389E *&t389E *&
![Page 68: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/68.jpg)
*#$fjda^j*#$fjda^ju539!3tu539!3tt389E *&t389E *&
DDFDDF
A quick A quick brown foxbrown foxjumped...jumped...
A quick A quick brown foxbrown foxjumped...jumped...
DDF extractionDDF extraction(e.g., RSA)(e.g., RSA)
File decryptionFile decryption(e.g., DES)(e.g., DES)
File encryptionFile encryptionkeykey
DDF is decrypted DDF is decrypted using the using the private private keykey to get to the file to get to the file encryption keyencryption key
File DecryptionFile Decryption
DDF contains file DDF contains file encryption key encryption key encrypted under encrypted under user’s user’s public keypublic key
User’s User’s privateprivatekeykey
![Page 69: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/69.jpg)
Active Directory Active Directory Security FeaturesSecurity Features
Organization Units (OU) to organize Organization Units (OU) to organize the directory name spacethe directory name space Users, groups, computers in separate Users, groups, computers in separate
containerscontainers
Directory object securityDirectory object security Per property access controlPer property access control Per property auditingPer property auditing
Delegation of administrationDelegation of administration Who can create, manage users, groups, Who can create, manage users, groups,
computer accounts, other objects computer accounts, other objects
![Page 70: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/70.jpg)
DomainDomain
DomainDomain DomainDomain
DomainDomain
DownlevelDownleveldomaindomain
Explicit Windows NT 4.0-style trustsExplicit Windows NT 4.0-style trusts
DomainDomain
microsoft.commicrosoft.com
europe. microsoft. comeurope. microsoft. com
Kerberos trustKerberos trust
fareast. microsoft. comfareast. microsoft. com
Domain TrustDomain Trust
![Page 71: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/71.jpg)
Managing SecurityManaging Security
Security Configuration Editor (SCE)Security Configuration Editor (SCE) Defines security configuration templatesDefines security configuration templates
Group Policy EditorGroup Policy Editor Defines hierarchy of user or computer Defines hierarchy of user or computer
policy templates for OUs up to the policy templates for OUs up to the DomainDomain
Security configuration is part of Security configuration is part of Group PolicyGroup Policy Group Policy for a computer includes the Group Policy for a computer includes the
security configurationsecurity configuration Security configuration applied at startupSecurity configuration applied at startup
![Page 72: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/72.jpg)
A Security ConfigurationA Security Configuration
Covers various security areasCovers various security areas Account Policies -- password, Account Policies -- password,
lockout, kerberoslockout, kerberos Local Policies -- auditing, user Local Policies -- auditing, user
rights,...rights,... Restricted Groups -- Restricted Groups --
Administrators, Power Users,…Administrators, Power Users,… Registry & File System -- security Registry & File System -- security
descriptorsdescriptors Services -- startup mode and Services -- startup mode and
security descriptorssecurity descriptors
![Page 73: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/73.jpg)
Summary (1/2)Summary (1/2)
Kerberos for domain authentication Kerberos for domain authentication for the Enterprisefor the Enterprise Mutual authentication, transitive trustMutual authentication, transitive trust
Public key security componentsPublic key security components Certificate Services to issue organization Certificate Services to issue organization
certificatescertificates Personal key and certificate managementPersonal key and certificate management Public key credentials for serversPublic key credentials for servers
Directory-based SSL/TLS client Directory-based SSL/TLS client authentication using X.509 certificatesauthentication using X.509 certificates
![Page 74: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/74.jpg)
SummarySummary
Crypto API enhancementsCrypto API enhancements Smart card logon and dialup accessSmart card logon and dialup access Message encryption using SSPIMessage encryption using SSPI SMB data encryption using IPsecSMB data encryption using IPsec Encrypting File SystemEncrypting File System DS Security Administration and PolicyDS Security Administration and Policy Security Configuration Editor Security Configuration Editor Cross-platform authentication Cross-platform authentication
interoperabilityinteroperability
![Page 75: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/75.jpg)
Group Policy ObjectsGroup Policy Objects
![Page 76: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/76.jpg)
Group Policy DefinitionGroup Policy Definition
““The ability for the administrator to The ability for the administrator to state a wish about the state of their state a wish about the state of their users’ environment once, and then rely users’ environment once, and then rely on the system to enforce that wish!”on the system to enforce that wish!”
![Page 77: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/77.jpg)
Group Policy ReviewGroup Policy Review
Policies Are Not ProfilesPolicies Are Not Profiles A A profileprofile is a collection of user environment settings that is a collection of user environment settings that
the the user may changeuser may change Group PolicyGroup Policy is a collection of user environment settings, is a collection of user environment settings,
specified by the administratorspecified by the administrator
Group Policy is more than simple “lockdown”Group Policy is more than simple “lockdown” Group Policy enhances the “Follow Me!” experience by Group Policy enhances the “Follow Me!” experience by
enabling organizations to:enabling organizations to: Set registry settings securely and without fear of Set registry settings securely and without fear of
tattooing tattooing (Administrative Templates)(Administrative Templates) Specify security oriented settings Specify security oriented settings (Security Settings)(Security Settings) Install software Install software (Software Installation)(Software Installation) Re-direct “My Documents,” “Desktop,” etc. to the Re-direct “My Documents,” “Desktop,” etc. to the
network network (Folder redirection)(Folder redirection) Implement tiered scripts Implement tiered scripts (Scripts)(Scripts)
![Page 78: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/78.jpg)
Sites are described by Sites are described by Subnet address’s and may Subnet address’s and may cross Domain boundaries, cross Domain boundaries, normally they would notnormally they would not
SiteSite
OU’sOU’s
A1A1 A2A2
GPO’sGPO’sA1A1
A2A2
A3A3
A5A5A4A4
The affect of a GPO may be The affect of a GPO may be filtered based on security filtered based on security group membership (ACLs)group membership (ACLs)
AADomainDomain
GPOs are per DomainGPOs are per Domain
Group Policy Group Policy is NOT inheritedis NOT inheritedacross Domainsacross Domains
Any SDOU may be Any SDOU may be associated with any GPO, associated with any GPO, even across Domains even across Domains (slower - maybe very slow)(slower - maybe very slow)
OU’sOU’s
B1B1 B2B2
B3B3
BB
GPO’sGPO’sB1B1
B2B2
DomainDomain
Multiple SDOUs may use Multiple SDOUs may use a single GPOa single GPO
Multiple GPOs may Multiple GPOs may be associated with be associated with a single SDOUa single SDOU
What is What is my policy?my policy?
Sites are described by Sites are described by Subnet address’s and Subnet address’s and may cross Domain may cross Domain boundaries, normally they boundaries, normally they would notwould not
GPOs are per DomainGPOs are per Domain
Multiple GPOs may Multiple GPOs may be associated with be associated with a single SDOUa single SDOU
Multiple SDOUs may use Multiple SDOUs may use a single GPOa single GPO
Any SDOU may be Any SDOU may be associated with any GPO, associated with any GPO, even across Domains even across Domains (slower - maybe very (slower - maybe very slow)slow)
The affect of a GPO may The affect of a GPO may be filtered based on be filtered based on security group security group membership (ACLs)membership (ACLs)
Group Policy And The Active DirectoryGroup Policy And The Active Directory
![Page 79: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/79.jpg)
Group Policy Linked To OUsGroup Policy Linked To OUs
The OU structure is your The OU structure is your administrative structureadministrative structure
Group Policy configuration must be Group Policy configuration must be tuned to fit your OUs structuretuned to fit your OUs structure
Design for the most stable and Design for the most stable and maintainable solutionmaintainable solution
![Page 80: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/80.jpg)
FilteringFiltering
Security Groups may be used to filter Security Groups may be used to filter the effect of Group Policythe effect of Group Policy Any Group Policy may have it’s scope Any Group Policy may have it’s scope
modified by setting ACL permissionsmodified by setting ACL permissions
Read and Apply Group Policy (AGP) Read and Apply Group Policy (AGP) ACEs are required for Group Policy to ACEs are required for Group Policy to be appliedbe applied
Only filter if necessaryOnly filter if necessary Keep simple if possibleKeep simple if possible
![Page 81: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/81.jpg)
GP applied to virtual group
ExampleExample
Filtering can be inclusionary or using Filtering can be inclusionary or using “deny” exclusionary“deny” exclusionary
ou
ou
ou
ouououou
GP
ACL
Read &APG
Read &APG
![Page 82: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/82.jpg)
ConclusionConclusion
Active DirectoryActive Directory DNSDNS Security FeaturesSecurity Features Group PolicyGroup Policy
![Page 83: Agenda](https://reader033.vdocuments.net/reader033/viewer/2022051620/56813a4f550346895da246e2/html5/thumbnails/83.jpg)