Post on 30-Dec-2015
description
Module 7Active Directory and Account
Management
Objectives
• Explain the purpose of Active Directory and its key features
• Describe containers in Active Directory
• Understand user account management
• Explain security group management and implement security groups
• Implement user profiles
Introduction to Active Directory
• Directory service that houses information about all network resources
• Centralized management allows for quick searches and access to resources
• Hierarchical organization of elements provides the ability to control user access
• Used in Windows 2000 Server and Server 2003– Windows NT Servers use the SAM database– Active Directory improves on SAM by:
• Providing complete management of all resources• Allowing writeable copies on all domain controllers
Active Directory Terminology
• Object– Network resource defined in a domain– Has distinct attributes and properties
• Container– An object that holds other objects
• Domain– A fundamental container that holds a group of
resource objects
• Domain controller (DC)– A Windows 2003 server that contains a full copy of
the Active Directory information
Replication in Active Directory
• Multimaster replication– Any change on one DC is replicated to all other DCs – If one DC fails, there is no visible network interruption
• Replication can be set to occur at preset intervals instead of as soon as update occurs
• Network traffic due to replications is reduced by:– Replicating individual properties instead of entire accounts– Replicating based on the speed of the network link
• Replicate more frequently over a LAN than a WAN
Installing Active Directory
• Make a Windows 2003 server a DC by installing Active Directory
• A DNS server must be available to complete installation
Schema
• Defines the object classes and their attributes that can be contained in Active Directory
• Each object class contains a globally unique identifier (GUID)– Unique number associated with an object name
• An object class may have required and optional attributes• Each attribute is given a version number and date when
created or modified– Allows updates on only that value in all DCs
• Windows Server 2003 has several default object classes
Global Catalog
• Stores information about every object within a forest– Full replicas of objects in its own domain and partial
replicas of objects in other domains
• Authenticates users when they log on• Provides lookup and access to all resources in
all domains• Provides replication of key Active Directory
elements• Keeps a copy of the most used object attributes
for quick access
Namespace
• A logical area on a network that contains directory services and named objects
• Performs name resolution through a DNS server in its designated DNS namespace
• Active Directory must be able to access a DNS server on the network
• DNS and Active Directory namespaces can be on a single computer or be distributed across several servers
• Two types of namespaces:– In contiguous namespace, the child object contains the name of
the parent object– In a disjointed namespace, the child name does not resemble the
parent name
Containers in Active Directory
• Hierarchical elements arranged in a treelike structure
• Containers in Active Directory include:– Forests– Trees– Domains– Organizational units– Sites
Forests
• Highest level container that consists of one or more trees in a common relationship
• The trees can use a disjointed namespace• All trees use the same schema• All trees use the same global catalog• Domains enable administration of commonly
associated objects• Two-way transitive trusts between domains
Trust relationships
• Two-way trust– Members of each domain can have access to the resources of
the other
• Transitive trust– If A and B have a trust and B and C have a trust, A and C
automatically have a trust
• Kerberos transitive trust relationship– A two-way transitive trust using Kerberos security techniques
• Forest trust– A Kerberos transitive trust between root domains of forests in
Windows Server 2003 forests
Trees
• Contain one or more domains that are in a common relationship
• Domains are in a contiguous namespace and can be in a hierarchy– All domains share a portion of their namespace
• Parent and child domains are in a Kerberos transitive trust relationship
• All domains use the same schema for all types of common objects
• All domains use the same global catalog
Domain
• Primary container of a group of objects• Provides a partition in which to house
objects that have a common relationship– Partitions reflect management and security
relationships
• Establishes a set of information to be replicated from one DC to another
• Expedites management of a set of objects
Organizational Unit
• Grouping of objects within a domain• Enables the delegation of server
administration roles– Groups objects according to management
tasks
• Provides the ability to administer objects with Group Policies– Groups objects with similar security access
• Can be nested within other OUs
Site
• Groups objects by physical location to identify the fastest route between clients and servers and between DCs
• Reflects one or more interconnected subnets• Is used for DC replication
– Sets up redundant paths between DCs– Coordinates replication between sites with a bridgehead server
• Enables a client to access the DC that is physically closest• Is composed of only two types of objects:
– Servers– Configuration objects
Container Guidelines
• Keep Active Directory as simple as possible and plan its structure before you implement it
• Implement the least number of domains possible• Implement only one domain on most small
networks• When an organization is planning to reorganize,
use OUs to reflect the organization’s structure • Create only the number of OUs that are
absolutely necessary
Container Guidelines (cont.)
• Do not build an Active Directory with more than 10 levels of OUs (one or two levels is preferable)
• Use domains as partitions in forests to demarcate commonly associated accounts and resources governed by group and security policies
• Implement multiple trees and forests only as necessary
• Use sites where there are multiple IP subnets and geographic locations to improve logon and replication performance
User Account Management
• Environments to set up and manage accounts– Through a standalone server without Active Directory:
• Use the Local Users and Group tool
– In a domain where Active Directory is installed:• Use the Active Directory Users and Computers tool
• Management tasks:– Creating an account– Disabling, enabling, and renaming accounts– Moving an account– Resetting a password– Deleting an account
It is easier to disable an old account, rename it, and enable the account with a new name than to delete the account and create a new one
Deleting an Account
• Delete accounts that are no longer in use– Provides for easier account management– Reduces the exposure to security risks
• When an account is deleted, the GUID is also deleted and is not reused
Security Group Management
• Group management eliminates repetitive steps in managing user and resource access
• The scope of a group determines its reach for gaining access to Active Directory objects
• Group types according to scope:– Local– Domain local– Global– Universal
• Group types according to use:– Security– Distribution
Implementing Local Groups
• Used on standalone servers that are not part of a domain
• Also used on member servers in a domain
• Scope does not go beyond the local server
• Divided on the basis of security access to the local server
• Created using the Local Users and Groups tool
Implementing Domain Local Groups
• Used on a single domain or to manage resources in a particular domain
• Gives global and universal groups from the same or other domains access to resources
• Usually placed in ACLs to give resource access to its members– Access control list (ACL) is a list of security privileges for a
particular object
• Scope is the domain in which the group exists• Can be converted to a universal group if:
– Other domain local groups are not contained within it– Domain is in Windows Server 2003 mode
Domain Functional Levels
• Determined by the type of servers in a domain• Three functional-level modes:
– Windows 2000 mixed mode• Combination of NT, 2000, and 2003 servers
– Windows 2000 native mode• Only 2000 and 2003 servers
– Windows 2003 mode• Only 2003 servers
• The default mode is either mixed or native– Change the mode through the Raise Functional
Level dialog box
Implementing Global Groups
• Intended to contain user accounts from a single domain• Used to manage group accounts in a domain so that
the accounts can access resources in the same domain and in other domains
• Can access resources in other domains through membership in other global, domain local, or universal groups
• Can contain user accounts and other global groups from the domain in which it was created
• Can be converted to a universal group with the same restrictions as domain local groups
Implementing Universal Groups
• Used to provide easy access to resources in any domain within a forest
• Membership can include user accounts, global groups, and universal groups from any domain
• Provides ability to manage security for single accounts with minimal effort
• Simplifies access when there are multiple domains• To create a universal group, it may be necessary to
convert the domain to Windows Server 2003 mode
Guidelines for Security Groups
• Use global groups to hold accounts as members• Keep nesting of global groups to a minimum• Give accounts access to resources by making
their global group members of other groups• Use domain local groups to provide access to
resources in a specific domain• Avoid placing accounts in domain local groups• Use universal groups to provide extensive
access to resources by placing them in ACLs
Properties of Groups
• General– Modify description, scope and type of group, and e-
mail addresses for a distribution group
• Members– Add or remove members from a group
• Member Of– Add or remove the group’s membership in another
group
• Managed by– Establish an account or group that manages the
group
Implementing User Profiles
• Local user profile– Stored on the local computer– Multiple users can use the same computer and
maintain customized settings
• Roaming profile– Downloaded to the client from the server– Same settings are available to users regardless of
the computer they log on
• Mandatory profile– Stored on the server– A user can modify, but not save settings
Summary
• Active Directory– Directory service that provides ways to manage resources in a
network
• Object– Most basic component in Active Directory– Defined through an information set called a schema
• Global catalog– Stores information about every object– Replicates key elements– Authenticates user logons
• Namespace– Uses the DNS namespace for name resolution– Active Directory requires a DNS server
Summary
• Active Directory hierarchy – Forest, trees, domains, organization units, and sites
• Active Directory design– Keep the structure as simple as possible
• User accounts– Customize account properties– Management tasks include disabling, enabling, renaming,
moving, and deleting accounts
• Security group management– Local, domain local, global, and universal groups
• User profiles– Used to customize accounts