Active Directory Essentials: Navigating the Object Database for IT Pros

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

foreign [Music] [Applause] [Music] foreign ER pool and this channel is dedicated to it students I.T professionals and anyone who enjoys learning technical subjects [Music] we're going to be looking at active directory and laying some very important foundations our purpose in this demonstration presentation is making active directory interesting engaging practical but technical slowly building our understanding of the complex scope of what active directory has become to understand the importance of active directory you've got to step back in time and look at where business and industry and computers were at in the early 1990s computers at that point were peer-to-peer work group there was no centralized management we were still using coax cable and bnct connectors to connect all our networks they were generally classroom to classroom we didn't have the ability to expand our Network behind Beyond one single classroom large corporations were using thick net instead of coax cable and they were able to do a more effective job of networking large floors and multiple floors every computer and server was managed individually and companies that began to push 50 to 100 plus computers were really experiencing difficulty with this model there was definitely a need for centralized management of network objects hosts digital objects and at the beginning Novell brought out their Novell directory services but it just never took off there was behind the scenes the x dot 500 directory standards that was being developed by the telephone companies now a director is organizing digital objects in a very logical way and relationship in a database now if you're thinking in 1990 the idea of a directory being the solution to centralizing management networks that was a real off-the-wall idea but let's take a look at this picture on this slide if we take the elements of our Network let's just take users and over here we've got users and then if we break down users into the accounting department Human Resource Department engineering department on and on and on then we could break down just the accounting department into individual users they've got 15 people in the accounting department and then each user has username a password a telephone number at that time we didn't have any such thing as a cell phone number supervisor's name etc etc this you can start seeing the metadata of every object in your directory and they're in interrelationship with each other pump it into a database build a set of protocols in which it can communicate out to all these computers servers networking devices you've got what is the basis for a centralized management system now in a organization you've got a lot of physical objects you've got computer servers storage switches routers firewalls printers Cloud devices and in an organization you have a lot of digital objects these are things you can't touch user accounts associated metadata computer accounts and Associated metadata policy security Dev single sign-on Cloud digital objects now active directory server database can manage up to 2.15 billion objects Azure active directory can manage about 50 000 objects notice there's a big difference between Azure active directory which is being hosted in the cloud and active directory which is hosted on a server active directory was released with Windows Server 2000 in 1999. now just having a database with lots of objects in it and protocols does not give you centralized management but look at this diagram look at these powerful services that plug into Active Directory Group policies with its granular control over users computers servers allowing administrators to manage your Windows update using the Windows server update system you have certificate services that allow you to deploy certificates throughout your organization even in a multi-national corporation you have Rights Management that allows you to control your documents your intellectual property in a much more granular way authentication Services give you single sign-on infrastructure Services allow you to control the relationship between objects on your network you literally could spend two hours on each of these services that plug into active directory this is a great slide because it really gives you a picture of what connects into active directory we have email systems applications which are very important giving you that single sign-on capability even with applications firewall Services network devices Windows servers Windows clients Windows users it gives you a comprehensive control and management system over your network now in today's environment Microsoft really is pushing you to connect your local active directory servers to Azure active directory that's its goal for today's Enterprise now this is my Azure active directory web interface to my home network I can connect this directly to my local home active directory Network one of the most serious problems facing active directory today is that it's a major attack Vector from malicious actors if you take over a company's active directory admin account you own that company if you're responsible for active directory in your company you must start learning the basic procedures for protecting your active directory against criminals even though in a domain we primarily use domain accounts domain admin accounts domain user accounts when criminals attack your active directory they typically go after a local admin account so we create a group policy object that says that a local admin account is denied access to any computer from the network we deny the local account from logging on as a batch job we deny the local account to log on as a service we deny it to log on locally we deny it to log on through remote desktop services this is a fundamental protection from a local account to your active director three domain accounts so we take these user rights highlighted in red and we add the local administrator to all of these and we deny the local administrator the ability to do this we're not impacting domain accounts we're impacting local computer accounts another important protection to your active directory is making sure that all your local admin password are changed on a regular basis and you can get Microsoft's laps local administrator password solution and it will randomize all your local admin passwords on a regular basis this is a very important protection now obviously we could spend a lot more time just on active directory security but we've got other things to cover let's lay down the concepts of forest domains and admin control when you install active directory domain services for the first time in your our home network or in your business you are going to build this domain structure is called a forest root domain that is the beginning of active directory it doesn't matter whether you have subdomains here we see division three another subdomain two another sub domains it doesn't matter how many or how little your first one will be a forest root domain the forest that's the security boundaries for active directory you'll have Enterprise administrator a domain administrator and schema administrators for that Forest root domain now Microsoft allows you to add another service called active directory Federation services this allows better connectivity to cloud services in most cases your main concern will be active directory domain Services that's going to be 80. now when you you begin the process of installing active directory on a server you will go to add roles and features and you'll notice they're checked by active directory domain Services notice that automatically DNS service will be added and file services will be added to your domain controller DNS is integrated into active directory this DNS is not like a DNS server on the internet the DNS server in active directory is primarily for active directory domain only so that client servers can find resources each other on the network using their own internal DNS server this DNS service does not share to the internet what it knows about your internal domain you can see in the dialog box where we're installing active directory we also could install active directory Federation Services as well as active directory lightweight directory Services which is primarily for applications it's very wise once you're hired within account company you may not have a lot of exposure to active directory but by the time you get in and employed as an I.T professional in a company you need to start digging in and understanding not only active directory but how your company implements it there are lots of ways and designing active directory you can have a a forest root domain you can have multiple subdomains you can have external domains that you connect through the forest there's lots of ways of Designing it it can be as simple and that's really the recommended keep your domain design as simple as possible active directory is capable of handling an enormous amount of objects and managing an enormous amount of objects Orange County Public Schools is the ninth largest District in the U.S you can see they have over 205 schools 206 000 students 24 000 employees I can tell you they have lots of computers and servers and their single domain is more than adequate for this very large school district again your active directory could be very complex because it's multinational spans the globe it depends on your corporate philosophy your Enterprise structure many other factors come into how you design active directory so let's get practical if I'm going to install active directory I need two servers minimum always two domain controllers you can have more if that makes sense for your organization now once you take a Windows server and you add active directory it now becomes a domain controller you should not have any other software on your domain controller except active directory now Microsoft recommends that you use Windows core for active directory install now you can run active directory in Virtual machines I run my home lab on two domain controllers on a virtual machine But be sure you look at Best Practices when you do run active directory on Virtual machines make sure you do your homework so understanding Forest domains and trees so why when we installed our first domain why did it have to be a forest root domain the reason why is because many companies many times purchase or integrate into another company so for example quest.com if it goes out and purchases one identity.com Microsoft builds a mechanism to connect this DNS space with its domain and tree it's got some subdomains and bring it into your domain quest.com that is what a forest is for so you always start with a forest root domain and here you notice we built in quest we've got two sub-domains and their relationship is what is known as a tree one identity.com has two subdomains that relationship to the root domain is a tree relationship when I take quest.com and one identity.com and I combine them together in an active directory I now have a forest it is very important to understand that active directory is built on top of DNS the whole concepts of DNS of having top-level domain names then you have subdomain names such as sales.quest.com and we have hr.quest.com are a part of the DNS name quest.com which is a top level everything about DNS integrates into active directory so all domains are built on DNS namespaces all active directories begin with a forest root domain which in this case is quest.com and you can build as many sub-domains as you want it's not always desirable to do that we're going to see keep it simple as much as possible another important concept is a domain controller remember we like two in each domain and we have three domains a domain control is authoritative only in the domain that it's in so a domaincontroller inquest.com has no Authority in sales.quest.com whatever domain your domain controller is in that's where it's authoritative only we've also looked at the concept of active directory trees where we have a top level domain in this case contoso.com and then we have a subdomain us.contoso.com and ohio.us.contoso.com this relationship is called a tree okay Mr Venable if domain controllers are only authoritative in each of these domains how does the whole thing work together Ah that's where a forest comes in and if you'll notice the global catalog you actually add a server in each of these domains with what is known as a global catalog and This Global catalog will go in and pull information out of each of these domains so it's available people to anybody in these domains now back to this picture again because we need to understand that forests although we've already talked about allow a company to bring in another company if they acquire another company but it's really about a discontinuous DNS name so quest.com is a discontinuous DNS name from One identity.com a forest allow discontinuous DNS name spaces to connect together and trust each other that's another important element of a forest here's another example of that here we have contoso.com and a subdomain and then we have fabricam.com and a subdomain a forest allows these two discontinuous DNS namespaces to join together build trust relationships and again Global catalog will be provided so that we can accumulate data out of each domain so they'll all work together domain main controllers are still authoritative only in the domain that they're located in now do you need all these trees and these extra subdomains no where possible keep your domain a single domain a root Forest domain that's it many large companies have this as their active directory model now time synchronization is very important in active directory we take our domain controllers we use ntp protocol which is Network time protocol and we connect to a Time Source some server that gives us an accurate measurement of time we want all of our clients all of our servers synced in time we don't want domain controllers 10 minutes faster than a few clients that's going to create problems now synchronization on time doesn't mean that we can't have time zones that's fine as long as everybody is using the same time source ntp gives us accuracy up to 10 milliseconds a new protocol called P to P is giving us accuracy in microseconds many corporations buy what's known as Network time servers I'll show a few on the screen what is the most important thing you need to know how to do an active directory you need to know how to recover and restore your ad to a functional State because you will make mistakes some considerations when you're building your domain controllers I usually build my domain controls with three hard drives a C drive for the operating system a d Drive for the active directory database and then e Drive for backup I usually use Microsoft server backup it's free it's built into windows and I backup my Dawn controller with Microsoft server backup then I have an external backup system that backs up all of the other elements combined I also use veeam installed on my host and my parent to back up my VMS on a physical server you use Raid 1 for C drive raid 6 or RAID 10 for ad so in my home lab this is what I run one of my 80 servers on it's always on extremely low power fully x64 compatible with UEFI and secure boot low-cost Windows Server core on it easy to physically secure not recommended for a business or Enterprise some other domain controller considerations that you need to think about is that domain controllers need to have a static IP address then all of your computers in your domain must use the domain controller's IP address as their DNS server typically each Lan local area network will have its own DC so here's an example of my clients and this is their ip4 configuration and you notice under ip4 DNS servers they have a 192.1680.230 that's the IP address of one of my domain controllers anytime you have a PC on on a domain it must use the DC as its DNS server domain controllers will always have DNS installed this allows everyone in the domain to find the resources that they need let's take a quick look I'm using active directory users and computers which is a tool that I can use to look into active directory database and it shows me a structure now be careful this is a database it's not a set of folders and subfolders like a hard drive even though it shows relationships that look like folders and subfolders on a hard drive think about your registry your registry shows what looks like in regedit folders in relationship to subfolders but it's not is trying to make a database more understandable to the it pro they're not folders and subfolders like your hard drive this is a database not a hard drive we have some special icons one this icon is what we known as a container and notice it has an icon like just like the one below it under computers but notice this one under domain controllers home lab laptop home lab PC notice their icons are different these are organizational units these are o U's the ones that have a plain icon are known as containers now I took Windows admin Center and I went out and I looked at my active directory just like I did with the other tool actor directory users and computers now I'm using Windows admin Center I've selected my domain controller win 2016 dc1 and I've chosen to look at my active directory on this domain controller and if you'll notice I see the lot of the same objects in this database that I just saw with active directory users and computers notice it shows me that this computer is is a container this domain controller is an OU this home lab laptop is an OU so I have container OU and those are going to be very important distinctions that we understand now active directory is a single file called ntds.d-i-t now I've got a screenshot up here and it has both active directory users and computers showing you the database and then down below is Explorer where I'm looking at the hard drive and I'm in a folder on my e Drive called ntds and this file right here ntds.d-i-t is my active directory database this is a tool that allows me to see it in a visual fashion again inside active directory we have containers and they have an icon like this you cannot delete containers which is good then we have organizational units which have an icon that looks like this and this is home lab laptop and this is where I put all my home laptops in this OU this is important because when I apply Group Policy objects gpos restrictions control over objects in my active directory I have to put gpos on an OU only I cannot put an a GPO on a container now notice this wizard dialog box when you install active directory on your server you're going to get this option where do you want to store your active directory database where do you want to store your log files and where do you want to put your sysval folder this is where I choose to put it on a separate drive now in our ntds folder our credit critical active directory files when we look at any file with the extension of dot chk this is a checkpoint file checkpoint files are very important they're commonly used in transactional database systems to keep track of what log entries have been committed to the database this is extremely important should you want to recover from a crash log files are transactional logs used to record changes in active directory and Dot EDB are temporary files also used to track transactions now active directory uses a database engine called JetBlue it's called an index sequential access method Isam exchange uses this database engine a Windows Server Branch cache uses it and Windows desktop search I recently did a video on Windows desktop search so if you'd like more information on JetBlue take a look at that video because we have more than one domain controller in a domain maybe three maybe four replication or keeping these databases in sync is very important in keeping these databases together and in sync Microsoft uses a multi-master model nobody has a higher authority than the other they're all domain controllers they use what's called a pull replication it keeps them in sync pull requests are made every 15 minutes all traffic is encrypted between domain controllers and there's a feature called KCC knowledge consistency Checker that verifies all this data that's moving across domain controllers to make sure that data is accurate active directory depends on a number of Technologies let's take a look at them we've already mentioned one feature that activery cannot function without and that's DNS another one is RPC this is is a protocol built into Windows you use it all the time on your clients your Windows 10 Windows 11 Windows servers RPC is using all the time RPC allows a process on a server to communicate flawlessly with a process on the client and vice versa so it's a very important protocol ldap is a set of rules it's a protocol that allows applications to talk to the active directory database and Kerberos is the authentication method so we can authenticate an individual or a computer or a application and trust that they are who they say they are now for many of you who want to build your first active directory I want to explain how I named my active directory it's not intuitive when I purchase my domain Tech savvyproductions.com I applied it to a website it is hosted by square.com so that DNS name top level the US name was already a part of square.com's IP address that represents my website so when I wanted to choose a DNS name for my active directory it had to be a subdomain of tech savvyproductions.com so I chose homelab.techsevyproductions.com and that became the DNS name of my active directory I couldn't use Tech savvyproductions.com because it was already associated with square.com's IP address for my website now to be sure this is not the process nor the strategy that you would take with a thoughtfully laid out business strategy small business strategy you would incorporate your ad and your website carefully so that they could share the same top level domain but many companies start with a website and then grow to the point that they need active directory and so they fall into this category to be clear our presentation on active directory is a fundamental or foundational level here's an example of the complexity of active directory this is the step-by-step communication process that goes on between a computer who is not on the domain and join in it to a domain controller it's quite complex so once I join the domain how do I access files folders and applications well you must authenticate Kerberos is used by active directory for authentication it uses a non-intuitive method for example you go to the domain controller and you request a ticket granting ticket and you get a session key you're giving Authority and authentication credentials and with those you can go to resources on the domain and access folders files and of course then NTFS permissions kick in so there's a complex set of authentication and then on our servers there's NTFS all of that combined with group policies provide a layered approach to security there's lots of cool active directory tools Microsoft gives the it pro lots of active directory tools their server manager on each of your Windows Server there's active directory admin Center which is built into most of your server products there's our stat tools we'll look at those there's Windows admin Center which is where Microsoft is trying to push us all towards and of course Powershell a tool that you will find yourself often reaching for and using to control and secure your network is going to be Group Policy Group Policy is one of the most powerful Tools in active directory now Microsoft's vision for active directory is premise based you have domain controllers with active directory on those domain controllers then you connect to Azure and then you have azure interactive directory that is Microsoft's present vision [Music] [Applause] [Music] foreign [Music]

Info

Channel: TechsavvyProductions

Views: 5,916

Rating: undefined out of 5

Keywords:

Id: F8x3_Dc4egE

Channel Id: undefined

Length: 30min 22sec (1822 seconds)

Published: Wed Nov 09 2022