Active Directory Domain Services 1 Examples for Directory

  • Slides: 35
Download presentation
Active Directory Domain Services 1 ﻧﻈﻢ ﺗﺸﻐﻴﻞ

Active Directory Domain Services 1 ﻧﻈﻢ ﺗﺸﻐﻴﻞ

Examples for Directory Service LOGO Network Information Service (NIS). Active Directory. 7

Examples for Directory Service LOGO Network Information Service (NIS). Active Directory. 7

Windows server 2008 AD LOGO v. Windows server 2008 AD includes five technologies: §

Windows server 2008 AD LOGO v. Windows server 2008 AD includes five technologies: § § § AD Domain Services AD Lightweight Directory Services AD Certificate Services AD Rights Management Services AD Federation Services 8

Domain Controller LOGO Domain Controller: Active ﺧﺎﺩﻡ ﻳﺤﻤﻞ ﻧﺴﺨﺔ ﻣﻦ Directory ﻭﺣﺪﺓ ﺗﺤﻜﻢ ﺑﺎﻟﻤﺠﺎﻝ

Domain Controller LOGO Domain Controller: Active ﺧﺎﺩﻡ ﻳﺤﻤﻞ ﻧﺴﺨﺔ ﻣﻦ Directory ﻭﺣﺪﺓ ﺗﺤﻜﻢ ﺑﺎﻟﻤﺠﺎﻝ 11

Active Directory Terms LOGO v. What Are Domains? v. What Are Trees? v. What

Active Directory Terms LOGO v. What Are Domains? v. What Are Trees? v. What Are Forests? v. What Are Organizational Units? v. What Are Trust Relationships? 12

LOGO Active Directory Terms Domain Tree Domain Domain Trust Domain OU Objects OU OU

LOGO Active Directory Terms Domain Tree Domain Domain Trust Domain OU Objects OU OU Domain Organizational Unit Forest 13

LOGO Organizational Units Domain OU 1 Users OU 1 User 1 OU 2 User

LOGO Organizational Units Domain OU 1 Users OU 1 User 1 OU 2 User 2 OU 2 Computers Computer 1 User 2 Printer 2 Computer 1 Printers Printer 1 ﺍﻟﻮﺣﺪﺍﺕ ﺍﻟﺘﻨﻈﻴﻤﻴﺔ 14

Organizational Units LOGO v. Objects § Users § Computers v. Organizational Units § Containers

Organizational Units LOGO v. Objects § Users § Computers v. Organizational Units § Containers that can be used to group objects within a domain 15

SID, ACL LOGO 20

SID, ACL LOGO 20

SID, ACL LOGO 21

SID, ACL LOGO 21

LOGO SID, ACL SID Privileges 008201013 Read 008201014 write 008201015 Modify Access Control List

LOGO SID, ACL SID Privileges 008201013 Read 008201014 write 008201015 Modify Access Control List ACL Security Identifier SID Group Privileges ﺍﻣﺘﻴﺎﺯﺍﺕ ﻫﻮ ﺭﻗﻢ ﺿﺨﻢ ﺑﺎﻟﺘﺎﻟﻲ ﻣﻀﻤﻮﻥ ﺃﻨﻪ ﺳﻴﻜﻮﻥ ﻓﺮﻳﺪﺍ SID. v § Ex: S-1 -5 -12 -7623811015 -3361044348 -030300820 -1013 22

ACL LOGO 23

ACL LOGO 23

Authentication and Authorization A user presents credentials that are authenticated by using the information

Authentication and Authorization A user presents credentials that are authenticated by using the information stored with the user’s identity The system creates a security token that represents the user with the user’s SID and all related group SIDs A resources is secured with an ACL: Permissions that pair a SID with a level of access The user’s security token is compared with the ACL of the resource to authorize a requested level of access LOGO 24

Authentication LOGO Authentication is the process that verifies a user’s identity Credentials: At least

Authentication LOGO Authentication is the process that verifies a user’s identity Credentials: At least two components required • User name • Secret, for example, password Two types of authentication • Local (interactive) Logon– authentication for logon to the local computer • Remote (network) Logon– authentication for access to resources on another computer 25

Access Tokens LOGO User’s Access Token User SID Member Group SIDs Privileges (“user rights”)

Access Tokens LOGO User’s Access Token User SID Member Group SIDs Privileges (“user rights”) Other access information 26

ACLs and ACEs LOGO Security Descriptor SACL DACL or “ACL” ACE Trustee (SID) Access

ACLs and ACEs LOGO Security Descriptor SACL DACL or “ACL” ACE Trustee (SID) Access Mask 27

LOGO Authorization is the process that determines whether to grant or deny a user

LOGO Authorization is the process that determines whether to grant or deny a user a requested level of access to a resource Three components required for authorization • Resource User’s Access Token User SID Group SID • Access Request System finds first ACE in the ACL that allows or denies the requested access level for any SID in the user’s token • Security Token Security Descriptor SACL DACL or “ACL” List of user rights ACE Trustee (SID) Access Mask Other access information ACE Trustee (SID) Access Mask 28

Workgroup Authentication v v LOGO The identity store is a database on the Windows

Workgroup Authentication v v LOGO The identity store is a database on the Windows system No shared identity store Multiple user accounts Management of passwords is challenging 29

Client/server Authentication LOGO v Centralized identity store trusted by all domain members v Centralized

Client/server Authentication LOGO v Centralized identity store trusted by all domain members v Centralized authentication service v Hosted by a server performing the role of an AD DS domain controller 30

MMC Custom MMC LOGO

MMC Custom MMC LOGO

 ﻣﺨﺼﺺ MMC ﻛﻴﻔﻴﺔ ﺇﻧﺸﺎﺀ LOGO To create an custom MMC type MMC in

ﻣﺨﺼﺺ MMC ﻛﻴﻔﻴﺔ ﺇﻧﺸﺎﺀ LOGO To create an custom MMC type MMC in the Run dialog box. From the File Menu choose Add/Remove Snap-in… 33

Snap-ins LOGO v. Active Directory Administration Tools: § § Active Directory Users and Computers

Snap-ins LOGO v. Active Directory Administration Tools: § § Active Directory Users and Computers Active Directory Sites and Services Active Directory Domains and Trusts Active Directory Schema 34