SlideShare une entreprise Scribd logo

Active directory - an introduction

Télécharger en tant que PPT, PDF
P
pepoluan
Technologie
1  sur  20
Eng Ing Eng ! <Insert tada.wav here>
About The Speaker • Name: Pandu Poluan • Email: pandu@poluan.info • Experience: – Senior Instructor (of instructors) for Cisco, Microsoft, Certified Ethical Hackers – IT Manager of Infrastructure, PT Panin Sekuritas Tbk • 25 branches, 500 employees, 1 domain – Systems Administration Manager, PT Carrefour Indonesia • 85 branches, 10’000+ employees, 2 domains
Active Directory An Introduction
What is Active Directory? • Directory • Authentication – Database of Objects in – Into the network the Domain – Uses “Kerberos” • Users mechanism • Computers • • Privileges Printers • Scanners – For network resources • Shares – For admin tasks • Refrigerators • Active • Coffee Makers • Toilet
Why called “Active” • Not just auth • Policies • Grouping (Many-to- – Restrictions Many) – Forced settings – Based on Org Struct – “Push” installation – Based on Functional • Audit Team • Replication – Based on Ad Hoc – One way & Two way needs – Bandwidth-adapting • Delegation • ‘Trust’ Relationship – Of admin tasks – Of management tasks
Overview of AD Elements • Domain Controllers – Writable & RODC • Schema • Security Groups • SYSVOL • Group Policy Objects (GPO) • Sites & Subnets • ... (and many others, but let’s just focus on the above for this “Introduction”)
Domain Controllers • Where AD database(s) are kept • Replicate between themselves – Two way with writeable DCs, One-way to RODCs – Also replicate “SYSVOL” • MUST be secured at all costs!! – Physical security – Logical security  RODC – Hardening: • Allow only special ‘elevated’ accounts ‘administrator-level’ access to the DCs
The AD “Schema” • Definition of Objects in AD – Properties/Attributes – ‘Nature’ of Object • E.g., container, custom container, leaf object • AMAT SANGAT VITAL SEKALI BANGET !!! – *IMMEDIATELY* replicated to other DCs – Feel free to commit suicide if someone gained Schema-editing ability … and botched the schema
Security Groups • Used to manage privileges/permissions practically, systematically, and healthily – Managing privileges per user in a big enterprise is not good for your health • Microsoft-recommended Best Practice: A G U DL P Account Global Universal Domain Local Permissions
A-P • The Worst privilege-assignment strategy – Imagine having to give 1’000 users the same privileges … – … to 100 network shares • Only suitable for … nothing
A-G-P • NEVER assign permissions directly to accounts • At least, assign permissions to Global SGs • Then, gather user Accounts into Gs • Only suitable for small domains
A-G-DL-P • Good Enough™ for Most organizations • In principle: – Gather Accounts into Groups – Assign Permissions onto Domain Locals – Associate Groups into Domain Locals A G DL P
A-G-U-DL-P • Necessary for huge organizations – Allows assignment of privileges for other ‘trusted’ domains • Similar to A-G-DL-P, but – Create Universal SGs spanning multi domains – Put Global SGs in a domain inside a U – Then, associate Us in DLs U A G DL P A G DL P
SYSVOL • The mysterious, enigmatic area where important AD thingies are kept – Group Policy Objects – Startup/Shutdown/Logon/Logoff Scripts – Other small-sized SysAdmin supporting files • Employs mysterious “Junctions” – Must be hosted on NTFS – Please please please for the love of all things holy: Do not delete any directory in here if you don’t understand its structure • Automatically replicated to other DCs – (Except SYSVOL on RODCs – won’t replicate, but will be overwritten instead) – FRS on Windows Server 2003, DFSR on Windows Server 2008 – Please do not put anything too big in SYSVOL … • else, your NetAdmin is going to find you and hurt you…
Group Policy Objects • A method to apply: – Common restrictions – Common settings – Common applications • Attached to one (or more) “Organizational Units” • Two kinds of policies – Machine policies – set on boot-complete – User policies – set on login • Machine policies *may* get re-applied when user login • Can be selectively applied
Sites and Subnets • Active Directory enables the definition of “sites” – Basically, a grouping of subnets in the enterprise – Also, a collection of DCs in those subnets • Features enabled by “sites” – Definition of replication topology – Definition of replication connection “costs” – Custom scheduling of replication – Nearest-DC (for login, SYSVOL access, etc.)
Other Important Things You Should Know If You Are A Windows Systems Administrator • FSMO Roles • Time Synchronization • Deployment tools • Management tools • Diagnostic tools
Tararengkiyu !
Sesi Tanya dan (semoga di-) Jawab
Active directory - an introduction

Recommandé

Hadoop operations
Hadoop operationsHadoop operations
Hadoop operations
Marc Cluet
 
Citrix Synergy 2014 - Syn233 Building and operating a Dev Ops cloud: best pra...
Citrix Synergy 2014 - Syn233 Building and operating a Dev Ops cloud: best pra...Citrix Synergy 2014 - Syn233 Building and operating a Dev Ops cloud: best pra...
Citrix Synergy 2014 - Syn233 Building and operating a Dev Ops cloud: best pra...
Citrix
 
Storage for VDI
Storage for VDIStorage for VDI
Storage for VDI
Howard Marks
 
Software defined storage real or bs-2014
Software defined storage real or bs-2014Software defined storage real or bs-2014
Software defined storage real or bs-2014
Howard Marks
 
Building Storage for Clouds (ONUG Spring 2015)
Building Storage for Clouds (ONUG Spring 2015)Building Storage for Clouds (ONUG Spring 2015)
Building Storage for Clouds (ONUG Spring 2015)
Howard Marks
 
Application Development with Apache Cassandra as a Service
Application Development with Apache Cassandra as a ServiceApplication Development with Apache Cassandra as a Service
Application Development with Apache Cassandra as a Service
WSO2
 
Deep dive hadoop
Deep dive hadoopDeep dive hadoop
Deep dive hadoop
Jakub Stransky
 
DB12c: All You Need to Know About the Resource Manager
DB12c: All You Need to Know About the Resource ManagerDB12c: All You Need to Know About the Resource Manager
DB12c: All You Need to Know About the Resource Manager
Maris Elsins
 

Recommandé

Hadoop operations
Hadoop operationsHadoop operations
Hadoop operations
Marc Cluet
 
Citrix Synergy 2014 - Syn233 Building and operating a Dev Ops cloud: best pra...
Citrix Synergy 2014 - Syn233 Building and operating a Dev Ops cloud: best pra...Citrix Synergy 2014 - Syn233 Building and operating a Dev Ops cloud: best pra...
Citrix Synergy 2014 - Syn233 Building and operating a Dev Ops cloud: best pra...
Citrix
 
Storage for VDI
Storage for VDIStorage for VDI
Storage for VDI
Howard Marks
 
Software defined storage real or bs-2014
Software defined storage real or bs-2014Software defined storage real or bs-2014
Software defined storage real or bs-2014
Howard Marks
 
Building Storage for Clouds (ONUG Spring 2015)
Building Storage for Clouds (ONUG Spring 2015)Building Storage for Clouds (ONUG Spring 2015)
Building Storage for Clouds (ONUG Spring 2015)
Howard Marks
 
Application Development with Apache Cassandra as a Service
Application Development with Apache Cassandra as a ServiceApplication Development with Apache Cassandra as a Service
Application Development with Apache Cassandra as a Service
WSO2
 
Deep dive hadoop
Deep dive hadoopDeep dive hadoop
Deep dive hadoop
Jakub Stransky
 
DB12c: All You Need to Know About the Resource Manager
DB12c: All You Need to Know About the Resource ManagerDB12c: All You Need to Know About the Resource Manager
DB12c: All You Need to Know About the Resource Manager
Maris Elsins
 
PEARC17: Cloud-enabling a Collaborative Research Platform: The GABBs Story
PEARC17: Cloud-enabling a Collaborative Research Platform: The GABBs StoryPEARC17: Cloud-enabling a Collaborative Research Platform: The GABBs Story
PEARC17: Cloud-enabling a Collaborative Research Platform: The GABBs Story
Rajesh Kalyanam
 
2015 deploying flash in the data center
2015 deploying flash in the data center2015 deploying flash in the data center
2015 deploying flash in the data center
Howard Marks
 
Database-as-a-Service with Oracle Enterprise Manager Cloud Control 12c and Or...
Database-as-a-Service with Oracle Enterprise Manager Cloud Control 12c and Or...Database-as-a-Service with Oracle Enterprise Manager Cloud Control 12c and Or...
Database-as-a-Service with Oracle Enterprise Manager Cloud Control 12c and Or...
Leighton Nelson
 
Reaching the Cloud: The Architecture
Reaching the Cloud: The ArchitectureReaching the Cloud: The Architecture
Reaching the Cloud: The Architecture
Society of Women Engineers
 
KoprowskiT_SQLRelay2014#8_Birmingham_FromPlanToBackupToCloud
KoprowskiT_SQLRelay2014#8_Birmingham_FromPlanToBackupToCloudKoprowskiT_SQLRelay2014#8_Birmingham_FromPlanToBackupToCloud
KoprowskiT_SQLRelay2014#8_Birmingham_FromPlanToBackupToCloud
Tobias Koprowski
 
Life After Sharding: Monitoring and Management of a Complex Data Cloud
Life After Sharding: Monitoring and Management of a Complex Data CloudLife After Sharding: Monitoring and Management of a Complex Data Cloud
Life After Sharding: Monitoring and Management of a Complex Data Cloud
OSCON Byrum
 
MongoDB webiner01
MongoDB webiner01MongoDB webiner01
MongoDB webiner01
Creationline,inc.
 
Cloud Computing101 Azure, updated june 2017
Cloud Computing101 Azure, updated june 2017Cloud Computing101 Azure, updated june 2017
Cloud Computing101 Azure, updated june 2017
Fernando Mejía
 
Multi-tenant, Multi-cluster and Multi-container Apache HBase Deployments
Multi-tenant, Multi-cluster and Multi-container Apache HBase DeploymentsMulti-tenant, Multi-cluster and Multi-container Apache HBase Deployments
Multi-tenant, Multi-cluster and Multi-container Apache HBase Deployments
DataWorks Summit
 
Extending your data to the cloud
Extending your data to the cloudExtending your data to the cloud
Extending your data to the cloud
Microsoft TechNet - Belgium and Luxembourg
 
The Power of Postgres Plus Cloud Database
The Power of Postgres Plus Cloud DatabaseThe Power of Postgres Plus Cloud Database
The Power of Postgres Plus Cloud Database
EDB
 
Docker y azure container service
Docker y azure container serviceDocker y azure container service
Docker y azure container service
Fernando Mejía
 
KoprowskiT_SQLRelay2014#1_Reading_FromPlanToBackupToCloud
KoprowskiT_SQLRelay2014#1_Reading_FromPlanToBackupToCloudKoprowskiT_SQLRelay2014#1_Reading_FromPlanToBackupToCloud
KoprowskiT_SQLRelay2014#1_Reading_FromPlanToBackupToCloud
Tobias Koprowski
 
(ATS4-PLAT06) Considerations for sizing and deployment
(ATS4-PLAT06) Considerations for sizing and deployment(ATS4-PLAT06) Considerations for sizing and deployment
(ATS4-PLAT06) Considerations for sizing and deployment
BIOVIA
 
Database as a Service on the Oracle Database Appliance Platform
Database as a Service on the Oracle Database Appliance PlatformDatabase as a Service on the Oracle Database Appliance Platform
Database as a Service on the Oracle Database Appliance Platform
Maris Elsins
 
KoprowskiT - SQLBITS X - 2am a disaster just began
KoprowskiT - SQLBITS X - 2am a disaster just beganKoprowskiT - SQLBITS X - 2am a disaster just began
KoprowskiT - SQLBITS X - 2am a disaster just began
Tobias Koprowski
 
5 Postgres DBA Tips
5 Postgres DBA Tips5 Postgres DBA Tips
5 Postgres DBA Tips
EDB
 
Azure Boot Camp 21.04.2018 SQL Server in Azure Iaas PaaS on-prem Lars Platzdasch
Azure Boot Camp 21.04.2018 SQL Server in Azure Iaas PaaS on-prem Lars PlatzdaschAzure Boot Camp 21.04.2018 SQL Server in Azure Iaas PaaS on-prem Lars Platzdasch
Azure Boot Camp 21.04.2018 SQL Server in Azure Iaas PaaS on-prem Lars Platzdasch
Lars Platzdasch
 
LVOUG meetup #2 - Forcing SQL Execution Plan Instability
LVOUG meetup #2 - Forcing SQL Execution Plan InstabilityLVOUG meetup #2 - Forcing SQL Execution Plan Instability
LVOUG meetup #2 - Forcing SQL Execution Plan Instability
Maris Elsins
 
Scalability, Availability & Stability Patterns
Scalability, Availability & Stability PatternsScalability, Availability & Stability Patterns
Scalability, Availability & Stability Patterns
Jonas Bonér
 
Active directory slides
Active directory slidesActive directory slides
Active directory slides
Timothy Moffatt
 
Active directory and application
Active directory and applicationActive directory and application
Active directory and application
aminpathan11
 

Contenu connexe

Tendances

KoprowskiT_SQLRelay2014#8_Birmingham_FromPlanToBackupToCloud
KoprowskiT_SQLRelay2014#8_Birmingham_FromPlanToBackupToCloudKoprowskiT_SQLRelay2014#8_Birmingham_FromPlanToBackupToCloud
KoprowskiT_SQLRelay2014#8_Birmingham_FromPlanToBackupToCloud
Tobias Koprowski
 
KoprowskiT_SQLRelay2014#1_Reading_FromPlanToBackupToCloud
KoprowskiT_SQLRelay2014#1_Reading_FromPlanToBackupToCloudKoprowskiT_SQLRelay2014#1_Reading_FromPlanToBackupToCloud
KoprowskiT_SQLRelay2014#1_Reading_FromPlanToBackupToCloud
Tobias Koprowski
 
(ATS4-PLAT06) Considerations for sizing and deployment
(ATS4-PLAT06) Considerations for sizing and deployment(ATS4-PLAT06) Considerations for sizing and deployment
(ATS4-PLAT06) Considerations for sizing and deployment
BIOVIA
 
KoprowskiT - SQLBITS X - 2am a disaster just began
KoprowskiT - SQLBITS X - 2am a disaster just beganKoprowskiT - SQLBITS X - 2am a disaster just began
KoprowskiT - SQLBITS X - 2am a disaster just began
Tobias Koprowski
 

Tendances (20)

PEARC17: Cloud-enabling a Collaborative Research Platform: The GABBs Story
PEARC17: Cloud-enabling a Collaborative Research Platform: The GABBs StoryPEARC17: Cloud-enabling a Collaborative Research Platform: The GABBs Story
PEARC17: Cloud-enabling a Collaborative Research Platform: The GABBs Story
 
2015 deploying flash in the data center
2015 deploying flash in the data center2015 deploying flash in the data center
2015 deploying flash in the data center
 
Database-as-a-Service with Oracle Enterprise Manager Cloud Control 12c and Or...
Database-as-a-Service with Oracle Enterprise Manager Cloud Control 12c and Or...Database-as-a-Service with Oracle Enterprise Manager Cloud Control 12c and Or...
Database-as-a-Service with Oracle Enterprise Manager Cloud Control 12c and Or...
 
Reaching the Cloud: The Architecture
Reaching the Cloud: The ArchitectureReaching the Cloud: The Architecture
Reaching the Cloud: The Architecture
 
KoprowskiT_SQLRelay2014#8_Birmingham_FromPlanToBackupToCloud
KoprowskiT_SQLRelay2014#8_Birmingham_FromPlanToBackupToCloudKoprowskiT_SQLRelay2014#8_Birmingham_FromPlanToBackupToCloud
KoprowskiT_SQLRelay2014#8_Birmingham_FromPlanToBackupToCloud
 
Life After Sharding: Monitoring and Management of a Complex Data Cloud
Life After Sharding: Monitoring and Management of a Complex Data CloudLife After Sharding: Monitoring and Management of a Complex Data Cloud
Life After Sharding: Monitoring and Management of a Complex Data Cloud
 
MongoDB webiner01
MongoDB webiner01MongoDB webiner01
MongoDB webiner01
 
Cloud Computing101 Azure, updated june 2017
Cloud Computing101 Azure, updated june 2017Cloud Computing101 Azure, updated june 2017
Cloud Computing101 Azure, updated june 2017
 
Multi-tenant, Multi-cluster and Multi-container Apache HBase Deployments
Multi-tenant, Multi-cluster and Multi-container Apache HBase DeploymentsMulti-tenant, Multi-cluster and Multi-container Apache HBase Deployments
Multi-tenant, Multi-cluster and Multi-container Apache HBase Deployments
 
Extending your data to the cloud
Extending your data to the cloudExtending your data to the cloud
Extending your data to the cloud
 
The Power of Postgres Plus Cloud Database
The Power of Postgres Plus Cloud DatabaseThe Power of Postgres Plus Cloud Database
The Power of Postgres Plus Cloud Database
 
Docker y azure container service
Docker y azure container serviceDocker y azure container service
Docker y azure container service
 
KoprowskiT_SQLRelay2014#1_Reading_FromPlanToBackupToCloud
KoprowskiT_SQLRelay2014#1_Reading_FromPlanToBackupToCloudKoprowskiT_SQLRelay2014#1_Reading_FromPlanToBackupToCloud
KoprowskiT_SQLRelay2014#1_Reading_FromPlanToBackupToCloud
 
(ATS4-PLAT06) Considerations for sizing and deployment
(ATS4-PLAT06) Considerations for sizing and deployment(ATS4-PLAT06) Considerations for sizing and deployment
(ATS4-PLAT06) Considerations for sizing and deployment
 
Database as a Service on the Oracle Database Appliance Platform
Database as a Service on the Oracle Database Appliance PlatformDatabase as a Service on the Oracle Database Appliance Platform
Database as a Service on the Oracle Database Appliance Platform
 
KoprowskiT - SQLBITS X - 2am a disaster just began
KoprowskiT - SQLBITS X - 2am a disaster just beganKoprowskiT - SQLBITS X - 2am a disaster just began
KoprowskiT - SQLBITS X - 2am a disaster just began
 
5 Postgres DBA Tips
5 Postgres DBA Tips5 Postgres DBA Tips
5 Postgres DBA Tips
 
Azure Boot Camp 21.04.2018 SQL Server in Azure Iaas PaaS on-prem Lars Platzdasch
Azure Boot Camp 21.04.2018 SQL Server in Azure Iaas PaaS on-prem Lars PlatzdaschAzure Boot Camp 21.04.2018 SQL Server in Azure Iaas PaaS on-prem Lars Platzdasch
Azure Boot Camp 21.04.2018 SQL Server in Azure Iaas PaaS on-prem Lars Platzdasch
 
LVOUG meetup #2 - Forcing SQL Execution Plan Instability
LVOUG meetup #2 - Forcing SQL Execution Plan InstabilityLVOUG meetup #2 - Forcing SQL Execution Plan Instability
LVOUG meetup #2 - Forcing SQL Execution Plan Instability
 
Scalability, Availability & Stability Patterns
Scalability, Availability & Stability PatternsScalability, Availability & Stability Patterns
Scalability, Availability & Stability Patterns
 

En vedette

Active directory
Active directoryActive directory
Active directory
Muuluu
 
Microsoft Offical Course 20410C_02
Microsoft Offical Course 20410C_02Microsoft Offical Course 20410C_02
Microsoft Offical Course 20410C_02
gameaxt
 
1.2 active directory
1.2 active directory1.2 active directory
1.2 active directory
Muuluu
 

En vedette (8)

Active directory slides
Active directory slidesActive directory slides
Active directory slides
 
Active directory and application
Active directory and applicationActive directory and application
Active directory and application
 
MCSA 70-410 5 introduction to active directory and basic installation
MCSA 70-410 5 introduction to active directory and basic installationMCSA 70-410 5 introduction to active directory and basic installation
MCSA 70-410 5 introduction to active directory and basic installation
 
Active directory
Active directoryActive directory
Active directory
 
Microsoft Offical Course 20410C_02
Microsoft Offical Course 20410C_02Microsoft Offical Course 20410C_02
Microsoft Offical Course 20410C_02
 
1.2 active directory
1.2 active directory1.2 active directory
1.2 active directory
 
Introduction to Active Directory
Introduction to Active DirectoryIntroduction to Active Directory
Introduction to Active Directory
 
Active Directory
Active Directory Active Directory
Active Directory
 

Similaire à Active directory - an introduction

Storage Systems For Scalable systems
Storage Systems For Scalable systemsStorage Systems For Scalable systems
Storage Systems For Scalable systems
elliando dias
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
Ajay Choudhary
 
Hafslund SESAM - Semantic integration in practice
Hafslund SESAM - Semantic integration in practiceHafslund SESAM - Semantic integration in practice
Hafslund SESAM - Semantic integration in practice
Lars Marius Garshol
 
Operating OpenStack on a Budget
Operating OpenStack on a BudgetOperating OpenStack on a Budget
Operating OpenStack on a Budget
Susan Wu
 
Operating OpenStack on a Budget
Operating OpenStack on a BudgetOperating OpenStack on a Budget
Operating OpenStack on a Budget
Samir Ibradzic
 
5 Things that Make Hadoop a Game Changer
5 Things that Make Hadoop a Game Changer5 Things that Make Hadoop a Game Changer
5 Things that Make Hadoop a Game Changer
Caserta
 

Similaire à Active directory - an introduction (20)

Amazon RDS for MySQL – Diagnostics, Security, and Data Migration (DAT302) | A...
Amazon RDS for MySQL – Diagnostics, Security, and Data Migration (DAT302) | A...Amazon RDS for MySQL – Diagnostics, Security, and Data Migration (DAT302) | A...
Amazon RDS for MySQL – Diagnostics, Security, and Data Migration (DAT302) | A...
 
Mtc learnings from isv & enterprise (dated - Dec -2014)
Mtc learnings from isv & enterprise (dated - Dec -2014)Mtc learnings from isv & enterprise (dated - Dec -2014)
Mtc learnings from isv & enterprise (dated - Dec -2014)
 
Mtc learnings from isv & enterprise interaction
Mtc learnings from isv & enterprise interactionMtc learnings from isv & enterprise interaction
Mtc learnings from isv & enterprise interaction
 
Docker in the Enterprise
Docker in the EnterpriseDocker in the Enterprise
Docker in the Enterprise
 
Securing Windows with Group Policy
Securing Windows with Group PolicySecuring Windows with Group Policy
Securing Windows with Group Policy
 
Storage Systems For Scalable systems
Storage Systems For Scalable systemsStorage Systems For Scalable systems
Storage Systems For Scalable systems
 
Drupal -Introduction to Drupal
Drupal -Introduction to DrupalDrupal -Introduction to Drupal
Drupal -Introduction to Drupal
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
 
How to Build a Compute Cluster
How to Build a Compute ClusterHow to Build a Compute Cluster
How to Build a Compute Cluster
 
Drupal performance
Drupal performanceDrupal performance
Drupal performance
 
Nagios XI Best Practices
Nagios XI Best PracticesNagios XI Best Practices
Nagios XI Best Practices
 
Hafslund SESAM - Semantic integration in practice
Hafslund SESAM - Semantic integration in practiceHafslund SESAM - Semantic integration in practice
Hafslund SESAM - Semantic integration in practice
 
Cause 2013: A Flexible Approach to Creating an Enterprise Directory
Cause 2013: A Flexible Approach to Creating an Enterprise DirectoryCause 2013: A Flexible Approach to Creating an Enterprise Directory
Cause 2013: A Flexible Approach to Creating an Enterprise Directory
 
Operating OpenStack on a Budget
Operating OpenStack on a BudgetOperating OpenStack on a Budget
Operating OpenStack on a Budget
 
Operating OpenStack on a Budget
Operating OpenStack on a BudgetOperating OpenStack on a Budget
Operating OpenStack on a Budget
 
Deep thoughts from the real world of azure
Deep thoughts from the real world of azureDeep thoughts from the real world of azure
Deep thoughts from the real world of azure
 
5 Things that Make Hadoop a Game Changer
5 Things that Make Hadoop a Game Changer5 Things that Make Hadoop a Game Changer
5 Things that Make Hadoop a Game Changer
 
Drupal intro
Drupal introDrupal intro
Drupal intro
 
Drupal intro
Drupal introDrupal intro
Drupal intro
 
MySQL for Oracle DBAs
MySQL for Oracle DBAsMySQL for Oracle DBAs
MySQL for Oracle DBAs
 

Dernier

Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 

Dernier (20)

CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 

Active directory - an introduction

  • 1. Eng Ing Eng ! <Insert tada.wav here>
  • 2. About The Speaker • Name: Pandu Poluan • Email: pandu@poluan.info • Experience: – Senior Instructor (of instructors) for Cisco, Microsoft, Certified Ethical Hackers – IT Manager of Infrastructure, PT Panin Sekuritas Tbk • 25 branches, 500 employees, 1 domain – Systems Administration Manager, PT Carrefour Indonesia • 85 branches, 10’000+ employees, 2 domains
  • 3. Active Directory An Introduction
  • 4. What is Active Directory? • Directory • Authentication – Database of Objects in – Into the network the Domain – Uses “Kerberos” • Users mechanism • Computers • • Privileges Printers • Scanners – For network resources • Shares – For admin tasks • Refrigerators • Active • Coffee Makers • Toilet
  • 5. Why called “Active” • Not just auth • Policies • Grouping (Many-to- – Restrictions Many) – Forced settings – Based on Org Struct – “Push” installation – Based on Functional • Audit Team • Replication – Based on Ad Hoc – One way & Two way needs – Bandwidth-adapting • Delegation • ‘Trust’ Relationship – Of admin tasks – Of management tasks
  • 6. Overview of AD Elements • Domain Controllers – Writable & RODC • Schema • Security Groups • SYSVOL • Group Policy Objects (GPO) • Sites & Subnets • ... (and many others, but let’s just focus on the above for this “Introduction”)
  • 7. Domain Controllers • Where AD database(s) are kept • Replicate between themselves – Two way with writeable DCs, One-way to RODCs – Also replicate “SYSVOL” • MUST be secured at all costs!! – Physical security – Logical security  RODC – Hardening: • Allow only special ‘elevated’ accounts ‘administrator-level’ access to the DCs
  • 8. The AD “Schema” • Definition of Objects in AD – Properties/Attributes – ‘Nature’ of Object • E.g., container, custom container, leaf object • AMAT SANGAT VITAL SEKALI BANGET !!! – *IMMEDIATELY* replicated to other DCs – Feel free to commit suicide if someone gained Schema-editing ability … and botched the schema
  • 9. Security Groups • Used to manage privileges/permissions practically, systematically, and healthily – Managing privileges per user in a big enterprise is not good for your health • Microsoft-recommended Best Practice: A G U DL P Account Global Universal Domain Local Permissions
  • 10. A-P • The Worst privilege-assignment strategy – Imagine having to give 1’000 users the same privileges … – … to 100 network shares • Only suitable for … nothing
  • 11. A-G-P • NEVER assign permissions directly to accounts • At least, assign permissions to Global SGs • Then, gather user Accounts into Gs • Only suitable for small domains
  • 12. A-G-DL-P • Good Enough™ for Most organizations • In principle: – Gather Accounts into Groups – Assign Permissions onto Domain Locals – Associate Groups into Domain Locals A G DL P
  • 13. A-G-U-DL-P • Necessary for huge organizations – Allows assignment of privileges for other ‘trusted’ domains • Similar to A-G-DL-P, but – Create Universal SGs spanning multi domains – Put Global SGs in a domain inside a U – Then, associate Us in DLs U A G DL P A G DL P
  • 14. SYSVOL • The mysterious, enigmatic area where important AD thingies are kept – Group Policy Objects – Startup/Shutdown/Logon/Logoff Scripts – Other small-sized SysAdmin supporting files • Employs mysterious “Junctions” – Must be hosted on NTFS – Please please please for the love of all things holy: Do not delete any directory in here if you don’t understand its structure • Automatically replicated to other DCs – (Except SYSVOL on RODCs – won’t replicate, but will be overwritten instead) – FRS on Windows Server 2003, DFSR on Windows Server 2008 – Please do not put anything too big in SYSVOL … • else, your NetAdmin is going to find you and hurt you…
  • 15. Group Policy Objects • A method to apply: – Common restrictions – Common settings – Common applications • Attached to one (or more) “Organizational Units” • Two kinds of policies – Machine policies – set on boot-complete – User policies – set on login • Machine policies *may* get re-applied when user login • Can be selectively applied
  • 16. Sites and Subnets • Active Directory enables the definition of “sites” – Basically, a grouping of subnets in the enterprise – Also, a collection of DCs in those subnets • Features enabled by “sites” – Definition of replication topology – Definition of replication connection “costs” – Custom scheduling of replication – Nearest-DC (for login, SYSVOL access, etc.)
  • 17. Other Important Things You Should Know If You Are A Windows Systems Administrator • FSMO Roles • Time Synchronization • Deployment tools • Management tools • Diagnostic tools