Question

Write a 250- to 350-word paper discussing the key features and components of each directory service and how those components would best be applied for a gym facility.

Answer 1

You should understand how Active Directory is prepare to make exact protection decisions. Five key structural components make up Active Directory. Each aspect has a distinct characteristic and security concerns that follow. To apprehend how every element suits into the general scheme of Active Directory, you ought to first recognize the information about every component. Then we can begin to put the different additives together with reference to capability and security. The key additives encompass domain, tree, forest, organizational unit, and site.

As you read through every structural component description, take into account that domains, trees, forest, and sites are not best crucial with Active Directory however also essential with DNS. Active Directory relies on DNS to make certain that the records stored within the DNS database is dependable and secured. If DNS is compromised or becomes unstable, factors such as callresolution, area controller location, Kerberos, and GPOs could fail. This will go away the IT infrastructure vulnerable and in a country of weakened protection.

1 Domains
The area is foundational for Active Directory. In all versions of Windows, the area is the important thing administrative issue that most administrators address day in and day out. To understanddomains, we want to research what a site is and what a website is not. If we take a look at the configuration alternatives required at some stage in setup of a domain, we can understand lots of what's included in the domain. First off, you are required to offer a domain a call. With Active Directory, there are names for every domain:

1.1 NetBIOS domain name
This is the downlevel domain call used to speak with patron computer systems and applications that don't use DNS to find area services, including area controllers, but as a substitute use NetBIOS. Operating structures that depend upon the NetBIOS area call encompass Windows 95, 98, and NT.


1.2 DNS domain name
The DNS domain call is used throughout the management tools, in addition to by patroncomputers for the duration of authentication. Only customers that aid Kerberos can use the DNS domain call once they authenticate to Active Directory. Operating structures that rely upon the DNS domain name consist of Windows 2000, XP, Server 2003, and earlier Windows operating systemsstrolling DSCLIENT.

Next, the domain is a coverage and replication boundary for Active Directory. When we get to the wooded area definition, we will see how the woodland offers a security boundary, but the domaindoes provide a replication boundary for coverage-based totally safety settings, which includeAccount Policy, Group Policy Objects, and replication.


1.3 Account Policy
The Account Policy for area customers is installed on the domain level. The Account Policy for the area level consists of manipulate over passwords, account lockout, and Kerberos authentication. This method that area user accounts cannot be managed at the organizational unit level; they ought to be managed on the area level. Also, the Account Policy is not inherited from the parentdomain, if we're focusing in on a toddler area. There isn't any possible manner to get a discernarea to push down Account Policies to infant domains.


1.4 Group Policy Objects
GPOs are the most important form of pushing out safety to computer systems within the domain. However, GPOs that are configured within a domain do no longer and can not span more than onedomain names by way of inheritance or hierarchy. The GPOs can be to be had to other domains, however there may be no option to configure GPOs to span domains with a single configuration.


1.5 Replication boundary for the area naming context
Active Directory's database is split into four fundamental contexts: domain naming, configuration, schema, and alertness directory. The domain naming context is responsible for consumeraccounts, group accounts, and laptop accounts. When domain controllers replicate to trade and synchronize the adjustments from other domain controllers, the area naming context is synchronized with simplest domain controllers in the same domain. This presents protection in that consumer accounts which are configured in one area do not have get admission to to assetsin other domain names till an administrator configures that get admission to. The Application Directory Partition is new for Windows Server 2003 area controllers and may be used to deal withdynamic data. Most Active Directory installations that use this partition use it to store DNS information.

1.2 Trees
The idea of an Active Directory tree is tied to DNS namespace. When you bring a brand new areainto an existing Active Directory wooded area, you are forced to indicate wherein the new areaname will be placed in assessment to the alternative area names that are in Active Directory. You can either locate the new area name beneath an existing domain call, making it a infant domain, or you can place the new domain call adjacent to the first domain call you created (forest root domain). Figure 13-2 illustrates both of these options.


The principal object to notice inside the representation of an Active Directory tree is the contiguous namespace. Figure 13-2 suggests two bushes. One tree has the namespace contoso.Com, and the opposite tree has the namespace woodgrovebank.Com. You can see that the child area to contoso.Com stocks the same DNS extension because the parent. From a protection viewpoint, there may be really no difference between having a infant domain or a sitethat begins a brand new tree, as woodgrovebank.Com does. So, in essence, the definition of an Active Directory tree is contiguous namespace, this is all!

To reiterate the factor from our discussion about domain names, the domain directors in thecontoso.Com area could now not have any administrative talents inside the child.Contoso.Com area nor the woodgrovebank.Com domain.



What all of the domains do have in not unusual is connected get admission to by way of the automatic, two-way, transitive trusts which can be created by means of being set up into the equalwoodland. These trust relationships offer a means for administrators to allow customers from different domain names to get right of entry to resources of their area. The key to consider is that the get right of entry to for users isn't to be had by using default; it need to be granted through the administrator of the useful resource first.

1.3 Forests
A forest contains as a minimum one Active Directory tree. The wooded area structure is also decided at the set up of the first domain controller for a brand new domain. When the domaincontroller is configured, the wizard will ask if you need to have a new woodland of domains, and you will reply with a yes. At this time, you have got made a distinct selection to disjoin the newarea from the other domains in almost each way. Without accurate documentation or a tool that could graphically represent the forest shape, you may have a difficult time figuring out where a forest ends and in which the following wooded area begins. Figure 13-three illustrates graphically what a couple of forests might look like.

It is very essential to be aware that there may be no accept as true with relationship between the two forests inside the figure. This is the true separation of domain names in distinctive forests. If there is no consider among domain names in one of a kind forests, it's miles clear that the users in one wooded area don't have access to assets in the other woodland. For many corporations, this isthe driving selection to create distinct forests. For some business or political motives, a number ofthe customers and sources need to be completely disjoined from each other.

From the remaining protection standpoint of domains, bushes, and forests, the woodland is the actual safety boundary the various Active Directory structural components. Nothing is shared between forests, not the schema, GPOs, or management. Some functions, however, do have forestwide effects, including the following:


1.3.1 Global catalog
The international catalog is the "cellphone listing" for the forest. Every object from each domain is represented in the international catalog, just now not each attribute of every object. The attributes that users could want to search for are included in the worldwide catalog. Some of thoseattributes consist of cellphone number, deal with, and email cope with. When a person does a search for an object within the Active Directory the use of the integrated search device, the globalcatalog is referenced to assist discover the object.


1.3.2 Schema
As cited earlier, the schema is the muse of item structures for the entire wooded area. Every areain the wooded area shares the equal set of object structures which can be defined within theschema. If an attacker accesses or modifies the schema, each domain inside the wooded areamight be affected. The schema is one-third of the listing database, which is stored on all areacontrollers in each domain. Only one area controller inside the forest can replace the schema?The Schema Master.



1.4 Organizational Units
Organizational units (OUs) are items inside a site that assist organize the other objects in the area. OUs can not span multiple domains, but they may be configured in a hierarchy inside the domain.

There are two number one reasons, both protection focused, for designing and enforcing OUs. The first is delegation, which as we've got already seen facilitates directors to delegate administrative duties to other administrators or even employees. The different is the deployment of GPOs. GPOs span safety settings, software program deployment, laptop configuration, folder redirection, and extra.


Delegation
By far one of the maximum crucial features of Active Directory is delegation. However, delegation without a strong OU layout is almost not possible to implement. OUs need to be designed to delegate management. The key to delegation is to have the OU incorporate the items that the delegate will manipulate. For example, if you have delegated the ability for the HR supervisor to reset passwords for handiest the HR employees, then there wishes to be an OU for these consumer accounts. A suitable layout could have an OU named HR_employees, which incorporates handiest the user accounts of the HR personnel. The design could have this OU low in the OU hierarchy, so that no other OUs are beneath it. In that design, the HR supervisor will now not have manipulate over every other person debts with the aid of default.


GPO deployment
Many administrators miss the attention of GPO deployment when they layout OUs. This is a mistake, particularly for safety motives. The GPO deployment must be interwoven with delegation considerations. If there's a battle among the two layout desires, the delegation wishes usually win. In this case, the GPO deployment could be taken care of with the aid of filtering the GPO (settingpermissions at the GPO). An example of a typical GPO layout would be the configuration of the Internet Explorer proxy settings for a branch office. All personnel within the department office needto have the same proxy settings for IE, that could effortlessly be set by way of using GPOs. In this case, there could be an OU named Branch1_employees, which includes the person bills for bestthe branch office. This OU might be low within the OU hierarchy, with no different OUs underneathit.

An mistakes that many organizations make is to replicate their company's organizational chart for their OU design. The OUs aren't well applicable for this model, seeing that this model generallybreaks how the management of items and deployment of GPOs are implemented. This isn't to saythat a small percentage of companies have now not efficaciously used the org chart for the OU layout, however in maximum cases it will cause greater affliction than benefit.


OUs ought to now not be burdened with containers. A field is a default folder in Active Directory. Default bins include Users and Computers. These are utilized by Active Directory to store the default consumer debts and laptop debts. The main difference between OUs and boxes is that GPOs can be linked best to OUs, now not bins.


1.5 Sites
Although sites do not directly affect protection, the reasons for and implementation of them are critical to the overall Active Directory structure. If you are using VLANs for safety reasons, the layout of your VLANs could impact the design of your web sites. So security of other communitycriteria may play a part inside the site design. Sites themselves are designed primarily to manipulate replication between area controllers. A secondary motive for web sites is to govern get entry to to sources, by using directing users to sources of their site, before going throughout the WAN. By default, area controllers inside the identical website online reflect every 15 seconds and feature a convergence time of 45 seconds inside a default Active Directory environment. This is mostly a suitable layout, so long as the domain controllers have enough bandwidth among them and the bandwidth is to be had for this schedule of replication.

If enough bandwidth isn't always available, a much less common replication schedule is desired. With the default site configuration of handiest a unmarried website online, there is no method to reduce the replication that occurs among domain controllers. To clear up this, additional websitesare created and domain controllers are moved to websites, which permits for managed replication among the domain controllers in the web sites.

Here are some characteristics of websites:

Sites can include area controllers from unique domain names.

Sites are represented through subnets. The subnets are extremely important for sites, consideringthat is how the patron computer systems music down resources in their very own web site the use of DNS.

Sites are commonly associated with regions, however not always. Sites are generally configured for networks that are "highly connected"?generally described as 10 Mbps or higher.

When designing and enforcing web sites, key configurations want to be addressed:

The schedule of the replication wishes to be described. The default schedule is to have the sitesreflect every three hours. For maximum cases, this may be sufficient, but if web sites are in nearproximity to one another or on distinct flooring of the identical building, this may no longer be fast sufficient.

The area controllers need to be positioned inside the websites. If a site controller fails to be positioned in a website, it will maximum likely now not be used by the community clients, due to the fact the IP cope with will now not fall into the appropriate subnet configured for the web site.

The subnets need to be configured for the sites. A unmarried subnet can not span a couple ofsites, however a site can, and commonly does, contain a couple of subnets.

The overall convergence time needs to be considered. If numerous sites are configured, how the sites will reflect to one another wishes to be considered, with the intention to help decide how long it's going to take a trade to copy to all of the domain controllers in each site.