Chap 04

Hands-On Microsoft Windows Server 2003

Chapter 4 Introduction to Active Directory and Account Management

Objectives • Explain the purpose of Active Directory and its key features • Describe containers in Active Directory • Understand user account management • Explain security group management and implement security groups • Implement user profiles 2

Introduction to Active Directory • Directory service that houses information about all network resources • Centralized management allows for quick searches and access to resources • Hierarchical organization of elements provides the ability to control user access • Used in Windows 2000 Server and Server 2003 – Windows NT Servers use the SAM database – Active Directory improves on SAM by: • Providing complete management of all resources • Allowing writeable copies on all domain controllers 3

4

Active Directory Terminology • Object – Network resource defined in a domain – Has distinct attributes and properties

• Container – An object that holds other objects

• Domain – A fundamental container that holds a group of resource objects

• Domain controller (DC) – A Windows 2003 server that contains a full copy of the Active Directory information 5

6

Replication in Active Directory • Multimaster replication – Any change on one DC is replicated to all other DCs – If one DC fails, there is no visible network interruption

• Replication can be set to occur at preset intervals instead of as soon as update occurs • Network traffic due to replications is reduced by: – Replicating individual properties instead of entire accounts – Replicating based on the speed of the network link • Replicate more frequently over a LAN than a WAN 7

Installing Active Directory • •

Make a Windows 2003 server a DC by installing Active Directory A DNS server must be available to complete installation

8

Schema • Defines the object classes and their attributes that can be contained in Active Directory • Each object class contains a globally unique identifier (GUID) – Unique number associated with an object name

• An object class may have required and optional attributes • Each attribute is given a version number and date when created or modified – Allows updates on only that value in all DCs

• Windows Server 2003 has several default object classes 9

10

Global Catalog • Stores information about every object within a forest – Full replicas of objects in its own domain and partial replicas of objects in other domains

• Authenticates users when they log on • Provides lookup and access to all resources in all domains • Provides replication of key Active Directory elements • Keeps a copy of the most used object attributes for quick access 11

Namespace • A logical area on a network that contains directory services and named objects • Performs name resolution through a DNS server in its designated DNS namespace • Active Directory must be able to access a DNS server on the network • DNS and Active Directory namespaces can be on a single computer or be distributed across several servers • Two types of namespaces: – In contiguous namespace, the child object contains the name of the parent object – In a disjointed namespace, the child name does not resemble the parent name 12

Containers in Active Directory • Hierarchical elements arranged in a treelike structure • Containers in Active Directory include: – Forests – Trees – Domains – Organizational units – Sites 13

14

Forests • Highest level container that consists of one or more trees in a common relationship • The trees can use a disjointed namespace • All trees use the same schema • All trees use the same global catalog • Domains enable administration of commonly associated objects • Two-way transitive trusts between domains 15

16

Trust relationships • Two-way trust – Members of each domain can have access to the resources of the other

• Transitive trust – If A and B have a trust and B and C have a trust, A and C automatically have a trust

• Kerberos transitive trust relationship – A two-way transitive trust using Kerberos security techniques

• Forest trust – A Kerberos transitive trust between root domains of forests in Windows Server 2003 forests 17

Trees • Contain one or more domains that are in a common relationship • Domains are in a contiguous namespace and can be in a hierarchy – All domains share a portion of their namespace

• Parent and child domains are in a Kerberos transitive trust relationship • All domains use the same schema for all types of common objects • All domains use the same global catalog 18

19

Domain • Primary container of a group of objects • Provides a partition in which to house objects that have a common relationship – Partitions reflect management and security relationships

• Establishes a set of information to be replicated from one DC to another • Expedites management of a set of objects 20

21

Organizational Unit • Grouping of objects within a domain • Enables the delegation of server administration roles – Groups objects according to management tasks

• Provides the ability to administer objects with Group Policies – Groups objects with similar security access

• Can be nested within other OUs 22

23

Site • Groups objects by physical location to identify the fastest route between clients and servers and between DCs • Reflects one or more interconnected subnets • Is used for DC replication – Sets up redundant paths between DCs – Coordinates replication between sites with a bridgehead server

• Enables a client to access the DC that is physically closest • Is composed of only two types of objects: – Servers – Configuration objects 24

25

Container Guidelines • Keep Active Directory as simple as possible and plan its structure before you implement it • Implement the least number of domains possible • Implement only one domain on most small networks • When an organization is planning to reorganize, use OUs to reflect the organization’s structure • Create only the number of OUs that are absolutely necessary 26

Container Guidelines (cont.) • Do not build an Active Directory with more than 10 levels of OUs (one or two levels is preferable) • Use domains as partitions in forests to demarcate commonly associated accounts and resources governed by group and security policies • Implement multiple trees and forests only as necessary • Use sites where there are multiple IP subnets and geographic locations to improve logon and replication performance 27

User Account Management • Environments to set up and manage accounts – Through a standalone server without Active Directory: • Use the Local Users and Group tool

– In a domain where Active Directory is installed: • Use the Active Directory Users and Computers tool

• Management tasks: – – – – –

Creating an account Disabling, enabling, and renaming accounts Moving an account Resetting a password Deleting an account 28

29

It is easier to disable an old account, rename it, and enable the account with a new name than to delete the account and create a new one 30

31

32

Deleting an Account • Delete accounts that are no longer in use – Provides for easier account management – Reduces the exposure to security risks

• When an account is deleted, the GUID is also deleted and is not reused

33

Security Group Management • Group management eliminates repetitive steps in managing user and resource access • The scope of a group determines its reach for gaining access to Active Directory objects • Group types according to scope: – – – –

Local Domain local Global Universal

• Group types according to use: – Security – Distribution 34

Implementing Local Groups • Used on standalone servers that are not part of a domain • Also used on member servers in a domain • Scope does not go beyond the local server • Divided on the basis of security access to the local server • Created using the Local Users and Groups tool 35

Implementing Domain Local Groups • Used on a single domain or to manage resources in a particular domain • Gives global and universal groups from the same or other domains access to resources • Usually placed in ACLs to give resource access to its members – Access control list (ACL) is a list of security privileges for a particular object

• Scope is the domain in which the group exists • Can be converted to a universal group if: – Other domain local groups are not contained within it – Domain is in Windows Server 2003 mode 36

37

Domain Functional Levels • Determined by the type of servers in a domain • Three functional-level modes: – Windows 2000 mixed mode • Combination of NT, 2000, and 2003 servers

– Windows 2000 native mode • Only 2000 and 2003 servers

– Windows 2003 mode • Only 2003 servers

• The default mode is either mixed or native – Change the mode through the Raise Functional Level dialog box 38

Implementing Global Groups • Intended to contain user accounts from a single domain • Used to manage group accounts in a domain so that the accounts can access resources in the same domain and in other domains • Can access resources in other domains through membership in other global, domain local, or universal groups • Can contain user accounts and other global groups from the domain in which it was created • Can be converted to a universal group with the same restrictions as domain local groups 39

40

41

Implementing Universal Groups • Used to provide easy access to resources in any domain within a forest • Membership can include user accounts, global groups, and universal groups from any domain • Provides ability to manage security for single accounts with minimal effort • Simplifies access when there are multiple domains • To create a universal group, it may be necessary to convert the domain to Windows Server 2003 mode

42

43

Guidelines for Security Groups • Use global groups to hold accounts as members • Keep nesting of global groups to a minimum • Give accounts access to resources by making their global group members of other groups • Use domain local groups to provide access to resources in a specific domain • Avoid placing accounts in domain local groups • Use universal groups to provide extensive access to resources by placing them in ACLs 44

Properties of Groups • General – Modify description, scope and type of group, and email addresses for a distribution group

• Members – Add or remove members from a group

• Member Of – Add or remove the group’s membership in another group

• Managed by – Establish an account or group that manages the group 45

Implementing User Profiles • Local user profile – Stored on the local computer – Multiple users can use the same computer and maintain customized settings

• Roaming profile – Downloaded to the client from the server – Same settings are available to users regardless of the computer they log on

• Mandatory profile – Stored on the server – A user can modify, but not save settings 46

47

Summary • Active Directory – Directory service that provides ways to manage resources in a network

• Object – Most basic component in Active Directory – Defined through an information set called a schema

• Global catalog – Stores information about every object – Replicates key elements – Authenticates user logons

• Namespace – Uses the DNS namespace for name resolution – Active Directory requires a DNS server 48

Summary • Active Directory hierarchy – Forest, trees, domains, organization units, and sites

• Active Directory design – Keep the structure as simple as possible

• User accounts – Customize account properties – Management tasks include disabling, enabling, renaming, moving, and deleting accounts

• Security group management – Local, domain local, global, and universal groups

• User profiles – Used to customize accounts 49