Designing an Effective Authentication Topology. Gil Kirkpatrick CTO, NetPro

Similar documents
Installing Proactive Monitoring for PowerCenter Operations 2.0 HotFix 1 on Solaris

Installation and Programming Manual Part: Building Network Interface Card Product: 4100ES

Certified Trac Professional VS-1117

Recommendations for Permissions & Settings

IBM CMM Quick Reference Guide

Smart Charging and Vehicle Grid Integration Silicon Valley Leadership Group PEV Forum December 16, 2014

MetaXpress PowerCore System Installation and User Guide

Release Enhancements GXP Xplorer GXP WebView

GPI (Gas Pump Interface) with Cash Register Express - Integration Manual

PowerChute TM Network Shutdown v3.1. User Guide. VMware

Vault-based Private License Server

PowerChute TM Network Shutdown v4.0. User Guide. VMware

KNIME Server Workshop

Release Enhancements GXP Xplorer GXP WebView

Videosystem CAR-READER

Published on Online Documentation for Altium Products (

Frequently Asked Questions: EMC Captiva 7.5

RS232. CAN. Integration with Tachograph Continental VDO DTCO

Electric Vehicle Strategy MPSC Technical Conference February 20, 2018

E-Industrial Training Module. User s Manual

Integration of PowerChute Business Edition with EcoStruxure IT

Training Course Catalog

SRM 7.0 Detailed Requisitioning

Informatica Supported Upgrade Paths

Organized by Hosted by In collaboration with Supported by

Outline. Background Performed evaluations. General experiences Future work. ATAM Experiences. Architecture used in 3O3P project SA-AFL architecture

Sinfonia: a new paradigm for building scalable distributed systems

PRODUCT DESCRIPTIONS AND METRICS

E-BOOK // GARMIN NUVI 265W USER MANUAL DOWNLOAD

JMS Performance Comparison Performance Comparison for Publish Subscribe Messaging

FleetPro User Manual Online Card Management. Chevron Canada Limited Commercial & Industrial Marketing

SNMP dedicated to ORVALDI Solar Infini

Multi Core Processing in VisionLab

Advanced Superscalar Architectures. Speculative and Out-of-Order Execution

FLEXIBILITY FOR THE HIGH-END DATA CENTER. Copyright 2013 EMC Corporation. All rights reserved.

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Integrated Architectures Management, Behavior models, Controls and Software

MongoDB - Replication & Sharding

ABB s supplier qualification process: Achilles and Power &Tech Frequently Asked Questions (FAQs)

County of Santa Clara Countywide Multi-Hazard / Multi-Disciplinary Task Force (CMTF)

ASAM ATX. Automotive Test Exchange Format. XML Schema Reference Guide. Base Standard. Part 2 of 2. Version Date:

PV inverters in a High PV Penetration scenario Challenges and opportunities for smart technologies

Omnitracs HOS Host 4.3v External Release Notes

ContiFI - ContiFleetInspection -

Dell EMC SCv ,000 Mailbox Exchange 2016 Resiliency Storage Solution using 10K drives

PRODUCT DESCRIPTIONS AND METRICS

Parallelism I: Inside the Core

ESI[tronic] 2.0 Trainer

Open & Evolutive UAV Architecture

Facility Management Webinar

North American Roads Set. Transport Tycoon Deluxe. OpenTTD and TTDPatch

JUMO DSM software. PC software for management, configuration, and maintenance of digital sensors. Operating Manual T90Z001K000

Airborne Collision Avoidance System X U

SEDONA FRAMEWORK BEST OPPORTUNITY FOR OPEN CONTROL

PI, CHIPS and Peas. Don t make a meal out of solving business problems with PI Coresight.

EXHIBITOR PROSPECTUS THE POWER OF FACE-TO-FACE BUSINESS. January 24-27, 2019 San Francisco

Using Asta Powerproject in a P6 World. Don McNatty, PSP July 22, 2015

MSD Boost Control Module PN 7763

Helsinki Pilot. 1. Background. 2. Challenges st challenge

SolarPower. User Manual. Suitable Products: Three-phase grid-tie inverter with energy storage. Three-phase off-grid inverter

BLUECAT ENTERPRISE DNS

What s new. Bernd Wiswedel KNIME.com AG. All Rights Reserved.

SolarPower. User Manual. Suitable Products: Three-phase grid-tie inverter with energy storage. Three-phase off-grid inverter

Dominion PX TM. Frequently Dominion PX TM Asked Frequently Asked Questions. General Questions

CVR Release Notes Page 1 of 7

Omnitracs Hours of Services 4.5 External Release Notes

KeContact P20 USPs and Features

1 Descriptions of Use Case

CHALLENGES AHEAD KEEPING PACE WITH RAPID ADVANCES IN COLLISION REPAIR BY JASON BARTANEN

Ammonia Industry Outlook in Malaysia to Market Size, Company Share, Price Trends, Capacity Forecasts of All Active and Planned Plants

Smart Grid What is it all about? Smart Grid Scenarios. Incorporation of Electric Vehicles. Vehicle-to-Grid Interface applying ISO/IEC 15118

MEPC 71. The Impact on Ballast Water Management Compliance Plans

DC Food Truck Secondary Trading Platform

User s Manual. Suitable Products: Three phase grid tie inverter with energy storage Three phase off Grid inverter

Vehicle years are now available starting in the 1910 s. To collapse the menu click on the Less link

fleet management and security

Optimizing Performance and Fuel Economy of a Dual-Clutch Transmission Powertrain with Model-Based Design

Quick Setup Guide for IntelliAg Model YP Air Pro

Driving Efficiency In Commercial Vehicle Engine Lubricants. Nigel Britton, Technical Manager

Table of Contents. Preface Introduction Legal notice PDF viewing notes Document change log...

Jurisdictional Guidelines for the Safe Testing and Deployment of Highly Automated Vehicles. Developed by the Autonomous Vehicles Working Group

One-Stop Service: Monitoring and Managing.

The IAM in Pre-Selection of global automotive trends impacting the independent multi-brand aftermarket

Canada s Passenger Automobile and Light Truck Greenhouse Gas Emission Regulations for Model Years

Quick Setup Guide for IntelliAg Model YP40 20 Air Pro

IMAGINE IOT PROTOTYPE CHALLENGE

Vanpool Regional Administration

Bankline Internet Banking Export File Layout User Guide

PQube 3 Modbus Interface

Network Installation. July 2008 CONTENTS

ABB Drive Services Your choice, your future

Query Engines for Hive: MR, Spark, Tez with LLAP Considerations!

SentryGOLD Fully-Automated Fuel Management System

DEV498: Pattern Implementation Workshop with IBM Rational Software Architect

Department Mass Update (DMU) eform Online Training

ID: Cookbook: browseurl.jbs Time: 20:23:06 Date: 25/05/2018 Version:

MSD Boost Control Module PN 77631

A Presentation on. Human Computer Interaction (HMI) in autonomous vehicles for alerting driver during overtaking and lane changing

Five Cool Things You Can Do With Powertrain Blockset The MathWorks, Inc. 1

Dominion PX. Quick Setup Guide. Before You Begin. Mounting Zero U Models Using L-Bracket. Zero U Size. 1U and 2U Size

Transcription:

Designing an Effective Authentication Topology Gil Kirkpatrick CTO, NetPro

Introduction NetPro The Directory Experts Gil Kirkpatrick CTO Architect of DirectoryAnalyzer and DirectoryTroubleshooter for Active Directory Author of Active Directory Programming from MacMillan

Question Why do we worry so much about optimizing replication traffic when 90% of directory traffic is authentication and lookup?

Agenda DC location How does a workstation determine which DCs to communicate with? Active Directory configuration How do you configure AD for optimal client authentication? Some scenarios Hub-and-spoke Network Operations Center (NOC)

DC Location

Discovery Process Workstations use DNS to locate DCs s need to locate AD servers that offer directory services For authentication purpose: DC GC Kerberos KDC For directory lookup: GC Discovery process Performed when user logs in Called by the NetLogon Service Called by applications that use DsGetDCName API DC Locator provides the mechanism to locate AD server

DC Locator Two sub-components: IP/DNS compatible locator NETBIOS compatible locator IP/DNS compatible locator: Used by DNS-enabled clients Always tried first Locate servers by querying Service Records (SRV) in DNS NETBIOS compatible locator Used by legacy clients: WFW WNT 3.5 Win9x; Use WINS as name resolution service

Save Site in the registry Locator and Sites mypc in Cupertino (new machine) 1. s Site (Cupertino) 2. DC s Site (Munich) 3. Closest Site Bit (false) What are the DCs for megacorp.com? dc01 and dc02 What is the DC in the Cupertino site? dc02 ldap.tcp.megacorp.com SRV dc01 munich.site.ms-dc... dc01 ldap.tcp.megacorp.com SRV dc02 Cupertino.site.ms-dc... dc02 DNS dc01 Munich dc02 site+subnet objects Cupertino * Details later

Locator and Sites Retrieve site from the registry mypc in a laptop (Traveling to Munich) What is the megacorp.com DC for the Munich site? What is the megacorp.com DC for the Cupertino site? dc01 ldap.tcp.megacorp.com SRV dc01 munich.site.ms-dc... dc01 dc02 ldap.tcp.megacorp.com SRV dc02 Cupertino.site.ms-dc... dc02 1. s Site (Munich) 2. DC s Site (Cupertino) 3. Closest Site Bit (false) DNS dc01 Munich dc02 site+subnet objects Cupertino

Query for Directory Services

DC Locator: Process Flow (1) DC Locator queries DNS for specific host names Using Site Name information Hosts offering specific services DNS returns a list of SRV records sorted by priority and weight Always select SRV recs with lowest priority Prefer higher weighting amongst records with same priority DC Locator pings each DC in the list until it gets a first reply

DC Locator: Process Flow (2) Once a DC is found, the Site name is registered in HKLM\CCS\Services\NetLogon\Para meters\dynamicsitename To override this value, create an entry HKLM\CCS\Services\NetLogon\Para meters\sitename

Cache Time-out and Closest Site DC Locator can return a DC in a different site stores the location of this DC in memory Cache lifetime is controlled by the registry entry HKLM\SYSTEM\CurrentControlSet\S ervices\netlogon\parameters\clo sesitetimeout

Cache Time-out and Closest Site cont. DC Locator will search for a DC in client s site when the timeout expires Example: Exchange 2000 SP2 DSACCESS component

DC Locator characteristics DC Locator uses SRV records in DNS to find a DC/GC Site specific SRV to locate services in the same site as clients Priority and weight of SRV allows prioritization of DC/GC Issues: DNS configuration on workstation DNS may contain useless or incorrect SRV records DNS updates may augment the network traffic

Registering Service Records on Servers

Overview of Site Topology Design Logical Design Site Topology Design Physical Network

Site Topology design s Objectives Build an efficient replication topology Sites - Subnets Site Links: Cost, Schedule Bridgehead Servers Global Catalogs (GC) Lay out an optimized authentication infrastructure Placement of Domain Controllers (DC) in sites Number of servers required: DC GC Sizing the server profile for DC

What are the challenges? Find a good trade-off between replication traffic and fast authentication against local DCs Optimize the number of servers deployed Reduce the burden of administration Reduce the overall Total cost of Ownership Minimize security threats in exposing DCs in untrusted sites Design the right profile for server Number of concurrent clients supported CPU RAM

Directory Services Publication Domain Controllers announce their services when assigned to a Windows 2000 site: SRV records registered in DNS with site information Operation performed by the NETLOGON service AD clients look up in DNS for these SRV records to search for Directory Services

Service Records registered in DNS Service Record (SRV) maps the name of a service to a DNS computer name Allows DC/GC to publish directory services Each DC/GC registers: Non-site specific SRV _ldap._tcp.dnsdomainname _gc._tcp.dnsforestname Site-specific SRV _ldap._tcp.sitename._sites.dnsdomainname _gc._tcp.sitename._sites.dnsforestname

Site Coverage Each DC/GC advertises Directory Services for: Its home site DC-less sites that are adjacent to its site DC creates 4 SRV per site for authentication service GC creates 2 SRV per site for directory services

Site Coverage cont. DC-less sites: Locations with few users that do not justify presence of DC/GC Locations that do not necessarily contain DC/GC of every domain Adjacent sites are evaluated using site link cost

Site Coverage AMERICAS EMEA 50 50 Cupertino Fremont 100 San Jose Mountain View

Site Coverage: Issues May augment network traffic: Significant number of SRV records registered in DNS Updated every hour by the NetLogon Service Number of SRV records: DC: 4* N * M GC: 2 *N *M Where N = number of AD servers (DC/GC) M = number of DC-less sites to be covered 3 DCs - 2 GCs 10 sites 4*(3+2)*10 + 2*2*10 = 240 SRV records in DNS! 2 DC/GC 50 sites 4* 2 *50 + 2*2* 50 = 600 SRV records in DNS!

Site Coverage: Optimization Site Coverage is enabled by default To reduce SRV registration: Turn off Site Coverage Manually specify site names that a DC can cover Action performed on each DC/GC Different customizations for GC and DC Windows 2000: registry keys Windows.NET: GPO

Site Coverage: Optimization Windows 2000: HKLM\CCS\Services\NetLogon\Parameters\A utositecoverage 0 1 (D) Windows.NET Computer Configuration -> Administrative Templates -> System-> NetLogon AutoSiteCoverage Disabled Enabled (D)

Site Coverage: Optimization Windows 2000: HKLM\CCS\Services\NetLogon\Para meters\sitecoverage = List of site names to be covered Windows.NET: Computer Configuration -> Administrative Templates -> System-> NetLogon-> SiteCoverage = List of site names to be covered

Site Coverage: Example AutoSiteCoverage = Enabled SiteCoverage = Mountain View AMERICAS EMEA 50 Cupertino 50 Fremont 100 San Jose Mountain View

Site Coverage: Example Cupertino 512Kb 512Kb Mountain View Fremont

Site Coverage: Example Cupertino 100 100 Mountain View Fremont

Site Coverage: Example AutoSiteCoverage = Enabled Selection process Cupertino 100 100 Mountain View Site Link cost Site with larger number of DC/GC Fremont Site sorted in alphabetical order In our example, Cupertino will cover Fremont site

Site Coverage: Example AutoSiteCoverage = Disabled SiteCoverage = Fremont Cupertino Mountain View 100 100 AutoSiteCoverage = Disabled Fremont AutoSiteCoverage = Disabled

Priority on SRV records _Service._Protocol.. [Priority] [Weight] Set preference for target host specified in the Target Field Weight is used to set preference when two SRV records have same priority

Priority in SRV records Windows 2000 HKLM\CCS\Services\NetLogon\Paramete rs\ LdapSrvPriority = [0, 65535] Windows.NET Computer Configuration\Administrative Templates\System\Netlogon\<Dynamic Registration of the DC Locator DNS Records> LdapSrvPriority = [0, 65535]

Priority in SRV records: Example AutoSiteCoverage = Disabled SiteCoverage = Fremont Cupertino Mountain View 100 100 AutoSiteCoverage = Disabled Fremont AutoSiteCoverage = Disabled

Priority in SRV records: Example LdapSrvPriority = 200 LdapSrvPriority = 100 Cupertino Mountain View 100 100 Fremont

Site Coverage for GC Windows 2000: HKLM\CCS\Services\NetLogon\ Parameters GCSiteCoverage = List of site names to be covered Windows.NET Computer Configuration -> Administrative Templates -> System-> NetLogon GCSiteCoverage = List of site names to be covered

GC SiteCoverage: Example DC GC Cupertino Exchange GCSiteCoverage Fremont San Jose Milapatas Mountain View DC Fremont DC San Jose DC Milapatas DC Mountain View

Generic SRV records Used by clients when they cannot find AD servers in their sites Each DC/GC registers generic SRV records DC specific records GC specific records

Generic SRV Records for DC Mnemonic LdapIPAddress DcByGUID Kdc Dc Rfc1510Kdc Rfc1510UdpKdc Rfc1510Kpwd Rfc1510UdpKpwd Type A SRV SRV SRV SRV SRV SRV SRV <DNSDomainName> DNS Record _ldap._tcp.<domainguid>.domains._msdcs. <DnsForestName> _kerberos._tcp.dc._msdcs.<dnsdomainna me> _ldap._tcp.dc._msdcs.<dnsdomainname> _kerberos._tcp.<dnsdomainname> _kerberos._udp.<dnsdomainname> _kpasswd._tcp.<dnsdomainname> _kpasswd._udp.<dnsdomainname>

Generic SRV Records for GC Mnemonic GcIpAddress GenericGc Gc Type A SRV SRV DNS Record Gc._msdcs.<DNSForestName> _ldap._tcp.gc._msdcs.<dnsforestname> _ldap._tcp.gc._msdcs.<dnsforestname>

Generic SRV records: Optimization Settings to prevent DC/GC to register specific SRV records Available with Windows 2000 SP2 Prevent local DC/GC to serve remote clients over the WAN Hub-Spoke topology Network Operating Centers (NOC) sites

Generic SRV records Windows 2000: HKLM\CCS\Services\NetLogon\Parameters DnsAvoidRegisterRecords = List of mnemonics Windows.NET Computer Configuration -> Administrative Templates -> System-> NetLogon DNS records not registered by the domain controllers = List of mnemonics

Generic SRV Records: Hub- Spoke topology DC GC Cupertino DC Fremont DC Milapatas

Generic SRV Records: Hub- Spoke topology DC GC Cupertino DnsAvoidRegisterRecords = LdapIpAddress, GcIpAddress, Gc, Dc.. DC Fremont DC Milapatas

Generic SRV Records: NOC site Network Operating Center AMERICAS EMEA Cupertino Fremont San Jose

Network Operating Center Requirements: Used only for centralized backup operations Must not serve clients for authentication or directory lookup Must not be disconnected from the network Solutions: Turn off Automatic Site Coverage feature DnsAvoidRegisterRecords has all mnemonics except DcByGUID

Summary The NetLogon service plays a fundamental role by: Locating AD servers on the client side Publishing service records on the server side Customized settings: Windows 2000: registry keys Windows.NET: GPO Optimize the discovery process of AD servers by clients Reduce impact of AD topology on the network

2024 © autodocbox.com Privacy Policy | Terms of Service | Feedback