Active Directory Policy

Design an Active Directory configuration for ESI that includes trusts between established branches as well as incorporation of the DNS structure you designed in the Critical Thinking assignment for Week 2.

Your Active Directory design must include the following:

Overall Active Directory DS configuration
Group policy
Sites
Trusts
Authentication methods
Remote access considerations
Any other element that you feel is essential (within the topics covered) to a solid Active Directory design
I. Active Directory Design
Active Directory Domain Services
With the release of Windows Server 2008, Active Directory Services is now known as Active Directory Domain Services (AD DS). AD DS is the main area for configuration, authentication and information regarding every object within your forest. You can literally manage every object, including users, groups, permissions, computers, applications and more. And with 2008, Microsoft included some very neat additions. With fine-grained passwords, you have flexibility to provide different password polices for special groups. You now have the capability to deploy read-only domain controllers, so when security is an issue, you need not worry about changes being made to the domain controller and affecting your live environment.
AD Design
When you are designing your AD DS there are a few things to consider for the logical organization. LabSim lesson 2.1.2 will go into detail regarding the following:
• Forest – A group of domain trees that trust each other by design
• Tree – A group of related domains that share the same DNS name space
• Domain – A group of clients and servers all under the authority of the same security database
• Organizational Unit (OU) – A term used to classify objects located in the domain
Functional Levels
When you want to establish the functions that will be carried out in your Active Directory domain, you will use functional levels. Functional levels determine what operating system you can use to run your domain controllers. They do not affect what operating system you use on servers or clients in the domain, but they do specify what must be run on a server that will be a domain controller. Functional Levels also define which AD DS are on hand to the domain or forest.
When using functional levels, once you upgrade the domain level you cannot return to the previous one. All functional levels in the domain must be at Windows Server 2000 in order to upgrade the domain to Windows Server 2008.
Microsoft also added some new functionality to Windows Server 2008:
• DNS background zone loading
• TS Licensing for terminal servers running Windows Server 2008. If you have terminal servers running Windows Server 2008, you must have a licensing server running Windows Server 2008
• Read-only domain controller (RODC) support. You must have one full domain controller running Windows Server 2008 in each domain where you have an RODC, and the RODC can only be installed on Windows Server 2008
• Server core installations
II. Active Directory Trusts and Replication
Trusts
In the simplest terms, a trust is exactly what it sounds like: a recognized relationship that exists between different domains. Because the domains trust each other, they allow interaction between each other. Permission is granted by default to authenticate users, access resources, and communicate back and forth between the domains like one big happy family, because that is exactly what a group of trusted domains is. There are, however, one-way trusts. Examine the following diagram from LabSim:
One-way Trust
Domain A trusts Domain B.
Domain B does not trust Domain A
Source: http://www.labsimonline.com
In the example above, there is a trust established, though it is only one way. If your domains are in a forest, then by default the trusts created are two-way. You can create specific manual trusts and set them as one-way only.
AD Replication
In order to keep your domain controllers up to date with the latest information, you will need to set replication between them. Replication copies the changes made in the Active Directory database and makes sure that all domain controllers receive and update this information so that everyone is on the same page. Should a domain controller need to be taken offline, you would want the one taking over active duties to have the latest changes. This is what replication does for your enterprise.
There are two types of replication, described in the following information from LabSim.
Intrasite replication takes place between domain controllers located within one site.
• By default, replication occurs between all domain controllers within a site once every hour
• You can modify the frequency to occur up to four times per hour
• Bridgehead servers, site links, or site link bridging are not used
Intersite replication involves bridgehead servers that are between two or more sites.
• Intersite replication is compressed, scheduled, and configured to use a specific networking protocol
• To customize intersite replication, configure sites and site link
Active Directory makes use of objects to manage replication traffic across your enterprise. The objects used are:
• Subnet – A physical section of your network that identifies the network address and mask
• Site – A group of networks connected together
• Site Link – A logical path, not a physical one, between sites that is used for replication
• Site Link Bridge – A group of several site links that can be shown as a single logical link
• Bridgehead server – A domain controller that is replicating with domain controllers in other sites
• Global Catalog server – Holds partial replications from every object on every domain
• Universal Group Membership Caching – Stores the group memberships located throughout the forest
Groups and Permissions
Permissions are one of the most dreaded parts of an administrator’s job. When you consider the potential vastness of an enterprise environment, it could easily take up a large portion of one’s day. Active Directory provides Groups to try to make the process easier and a bit more streamlined. By creating groups, you can assign permissions to specific groups and then place users into the groups that match their permission levels. This is much easier and faster than assigning permissions on individual user accounts and improves the task of administering the enterprise.
I. Group Policy
Group Policy is a tool designed to help you manage the Active Directory environment. It is intended to provide an automated and centrally administered area for management of many of the common administrative tasks found within the enterprise. The features found in Group Policy allow businesses to lower the costs involved with managing their computer systems. Once a network grows beyond a handful of users, the daily maintenance and security involved could pose a nightmare for medium and large businesses. In an enterprise environment, it could be disastrous. Group Policy was designed to alleviate these headaches.
Group Policy allows you to customize settings for many configuration options. These settings can then be pushed out to one or many objects on the network. Software installations, scripts, security settings, policies, Internet settings and device blocking are just a few of the things Group Policy allows you to control. This control can be tailored to groups or individuals.
What’s New in 2008?
Windows Server 2008 actually has several significant upgrades that make Group Policy even better.
• Management Console integration – Group Policy now has its own management console and is no longer managed from the Active Directory console
• Group Policy Client Service – Group Policy now runs as a service, which affords a more proficient and secure environment
• Group Policy Central Store – This allows administrators the ability to access ADMX files when editing GPO settings
• Group Policy Logging – This is now a standalone service with messages appearing in the system log
• Network Location Awareness – Group Policy now uses the Network Location Awareness service to establish network conditions
• XML Administrative Templates – This offers a new file format that provides easier management of administrative templates and allows change-management processes
• Support for Multiple Local Objects – This allows the use of multiple-group policy objects on one PC for better management of multiple-user accounts
• New Settings – There is support for more than 2600 administrative template policy setting
Group Policy Application
Group Policy uses inheritance to set settings to any objects that reside below the container the Group Policy Object (GPO) is associated with. You can modify GPO settings to obtain the results you want within Group Policy. The following are some of the methods available to you.
• Block Inheritance puts a stop to child objects inheriting settings from the parent object
• Enforced is used when you want to prevent the ‘blocked inheritance’ command from being used on certain objects
• Loopback Processing reapplies computer settings after the initial computer settings and user settings have run during computer startup. This is used so that computer settings take precedence
• GPO Permissions manage the functions users can carry out on the GPO
Templates
Group Policy Templates are settings that permit you to impose universal settings among GPOs by copying or importing. Administrative Templates are used for the system registry and are configurable through a Group Policy Object. Starter Group Policy Objects are new in Server 2008. They are used to make things easier when managing the settings for Administrative Templates. Group Policy can create copies of GPOs that basically give you a fresh-yet-current canvas to work with in order to create any new GPOs.
II. Authentication
Authentication
Authentication is the course of action that validates an account and either grants or denies access to the system based on the results. There are a few settings that can be customized in Active Directory, as the information below from LabSim explains.
Account Policies are used to manage passwords as well as the properties for user accounts for the entire domain.
• Password Policy settings control characteristics enforced for user passwords. Account Lockout Policy settings control what happens when a user enters one (or more) incorrect passwords
• Policy settings are configured in the Computer Configuration portion of a GPO, but they control user account passwords
• Only the settings configured in a GPO linked to the domain affect domain computers. Account Policy settings configured on an OU affect settings for local user accounts defined on the applicable computers
Smart Cards are used to store and process login information. They require the following:
• An enterprise certificate authority
• Active Directory
• A Cryptographic Service Provider (typically provided by the smart card reader manufacturer)
Fine Grained Password policies enable you to construct separate password policies for users or groups that are different than the policy being enforced on the rest of the domain.
• The domain must be running at the Windows Server 2008 domain functional level
• Password policies affect only user account passwords, not computer account passwords
• Only members of the Domain Administrator group can set granular password policies, but you can delegate the ability to set these policies to others
• Granular password policies are saved as a Password Settings Object (PSO) in the Password Settings Container (PSC). The PSC holds one or more PSOs. You can define multiple PSOs, each with unique password policy settings
• PSOs have attributes for all of the settings that can be defined in the Default Domain Policy
Authorization Manager is a means for managing authorization using roles.
• As applications are being developed, coders identify tasks that users or processes need to perform
• The application is written to check Authorization Manager to identify the roles that are allowed to perform each task
• Users are placed into roles to grant them the ability to perform those tasks
• Users and roles can be defined in Active Directory, a SQL database, or an XML file
• Using Authorization Manager in an application is a form of authorization (not authentication) that identifies what users can do. Authorization Manager does not provide the mechanism for validating user identity

Assignment 1

Elliott’s Solutions Inc. or ESI is a company that has many offices throughout the country. The company is rapidly growing and is considering expanding to other locations. ESI also has no web presence, and needs to establish one because of how fast the company is growing. By establishing a web presence the company can allow internal employees to access company resources with ease. It will also allow ESI’s customers to be able to access important resources, and allow potential customers to gather more information about ESI. In the following proposal, I will be discussing the creation of a DNS Namespace for ESI, the requirements for setting up a domain name, and develop a IP scheme that includes both DHCP and Static addressing.
Creating a DNS Namespace
A DNS Namespace is a hierarchical arrangement that resembles the root structure of a tree. Each domain extends from the node above it, beginning at the top with the top-level domain then a second-level domain, and then subdomains. A top-domain is something we always see when using the Internet. Examples of top-domains include .com, .org, .edu which are all commonly used top-level domain names. Second-level domains are also called parent domains and have to be registered through an approved ICANN (Internet Corporation for Assigned Names and Numbers) approved registrar (Website Gear, 2004). Subdomains are usually formed to identify a specific location or organizational name, such as la for Los Angeles or support for the support department. I propose using a top-level domain of .com as it is one of the more commonly used top-level domains for companies. We should also register a second-level or parent domain of ESI for Elliot’s Solutions Inc. Subdomains should be first broken down by office locations since our company has multiple offices located throughout the company. Then it should be broken down again by departments and then specific groups within the company. An example of our DNS namespace would be atlanta.support.esi.com, which would equate to the Atlanta office’s support department for our company. Creating this DNS Namespace will allow us to organize our domain, and adapt a standard naming practice.
Requirements for a Domain Name
The Internet is full of domains, and on cannot simply just create one. First the domain name has to be available for the top-level domain that you want. For example there might be an ESI.org but not an ESI.com. Domain names are governed by the ICANN or Internet Corporation for Assigned Names and Numbers and have to be registered by an approved ICANN registrar. During the registration process there is certain information that must be provided.
1. Domain Name owner credentials (name, company name, address, phone, email address etc.)
2. Administrative contact credentials
3. Technical contact credentials
4. Domain Name System (DNS) server details
The next step is deciding on whether or not the ESI will be hosting or will ESI have another company host the website. Since ESI is a large growing company, we will host our own website. We will then need to configure the DNS server which will listen for DNS requests from the Internet. We will also want to make sure that our public website is not directly connected to the network to prevent unwanted access or malicious attacks.
IP Scheme
DHCP or Dynamic Host Configuration Protocol is a method of automatically assigning IP Addresses to hosts. DHCP can also be set to statically assign addresses which can be useful when assigning IP addresses to servers since you wouldn’t want these IP addresses to expire. DHCP also sets lease expirations on the addresses that it assigns, which will then require hosts to obtain a new IP address when their lease expires. This is a great method for saving time and energy when dealing with a large network. Static IP addresses are hard coded into the network card settings, and will remain the same until it is manually changed. This can be quite cumbersome when dealing with a large network, and can also be hard to troubleshoot. For ESI, I recommend using DHCP as the company is already a good size and growing rapidly. The only time that I would recommend using Static IP assignment is in the case when assigning IP addresses to servers, as we would want these IP addresses to stay the same.
Developing a web presence is no easy task. It requires a significant amount of time and planning. By creating a solid DNS Namespace, ESI can greatly improve the access that employees, clients, and potential clients have to needed resources. Creating a domain name is also something that requires preplanning and money to accomplish. Also, by creating a DHCP IP scheme to automatically assign IP addresses to hosts we will save a large amount of time and energy managing our network. By combining all of these elements ESI now has a web presence and can now accommodate its growing business.
References
WebsiteGear.(2004). Website domain name configuration.Retrieved from http://content.websitegear.com/article/domain_setup.htm

 

Leave a Reply