Module 7Active Directory and Account

Management

Objectives

• Explain the purpose of Active Directory and its key features

• Describe containers in Active Directory

• Understand user account management

• Explain security group management and implement security groups

• Implement user profiles

Introduction to Active Directory

• Directory service that houses information about all network resources

• Centralized management allows for quick searches and access to resources

• Hierarchical organization of elements provides the ability to control user access

• Used in Windows 2000 Server and Server 2003– Windows NT Servers use the SAM database– Active Directory improves on SAM by:

• Providing complete management of all resources• Allowing writeable copies on all domain controllers

Active Directory Terminology

• Object– Network resource defined in a domain– Has distinct attributes and properties

• Container– An object that holds other objects

• Domain– A fundamental container that holds a group of

resource objects

• Domain controller (DC)– A Windows 2003 server that contains a full copy of

the Active Directory information

Replication in Active Directory

• Multimaster replication– Any change on one DC is replicated to all other DCs – If one DC fails, there is no visible network interruption

• Replication can be set to occur at preset intervals instead of as soon as update occurs

• Network traffic due to replications is reduced by:– Replicating individual properties instead of entire accounts– Replicating based on the speed of the network link

• Replicate more frequently over a LAN than a WAN

Installing Active Directory

• Make a Windows 2003 server a DC by installing Active Directory

• A DNS server must be available to complete installation

Schema

• Defines the object classes and their attributes that can be contained in Active Directory

• Each object class contains a globally unique identifier (GUID)– Unique number associated with an object name

• An object class may have required and optional attributes• Each attribute is given a version number and date when

created or modified– Allows updates on only that value in all DCs

• Windows Server 2003 has several default object classes

Global Catalog

• Stores information about every object within a forest– Full replicas of objects in its own domain and partial

replicas of objects in other domains

• Authenticates users when they log on• Provides lookup and access to all resources in

all domains• Provides replication of key Active Directory

elements• Keeps a copy of the most used object attributes

for quick access

Namespace

• A logical area on a network that contains directory services and named objects

• Performs name resolution through a DNS server in its designated DNS namespace

• Active Directory must be able to access a DNS server on the network

• DNS and Active Directory namespaces can be on a single computer or be distributed across several servers

• Two types of namespaces:– In contiguous namespace, the child object contains the name of

the parent object– In a disjointed namespace, the child name does not resemble the

parent name

Containers in Active Directory

• Hierarchical elements arranged in a treelike structure

• Containers in Active Directory include:– Forests– Trees– Domains– Organizational units– Sites

Forests

• Highest level container that consists of one or more trees in a common relationship

• The trees can use a disjointed namespace• All trees use the same schema• All trees use the same global catalog• Domains enable administration of commonly

associated objects• Two-way transitive trusts between domains

Trust relationships

• Two-way trust– Members of each domain can have access to the resources of

the other

• Transitive trust– If A and B have a trust and B and C have a trust, A and C

automatically have a trust

• Kerberos transitive trust relationship– A two-way transitive trust using Kerberos security techniques

• Forest trust– A Kerberos transitive trust between root domains of forests in

Windows Server 2003 forests

Trees

• Contain one or more domains that are in a common relationship

• Domains are in a contiguous namespace and can be in a hierarchy– All domains share a portion of their namespace

• Parent and child domains are in a Kerberos transitive trust relationship

• All domains use the same schema for all types of common objects

• All domains use the same global catalog

Domain

• Primary container of a group of objects• Provides a partition in which to house

objects that have a common relationship– Partitions reflect management and security

relationships

• Establishes a set of information to be replicated from one DC to another

• Expedites management of a set of objects

Organizational Unit

• Grouping of objects within a domain• Enables the delegation of server

administration roles– Groups objects according to management

tasks

• Provides the ability to administer objects with Group Policies– Groups objects with similar security access

• Can be nested within other OUs

Site

• Groups objects by physical location to identify the fastest route between clients and servers and between DCs

• Reflects one or more interconnected subnets• Is used for DC replication

– Sets up redundant paths between DCs– Coordinates replication between sites with a bridgehead server

• Enables a client to access the DC that is physically closest• Is composed of only two types of objects:

– Servers– Configuration objects

Container Guidelines

• Keep Active Directory as simple as possible and plan its structure before you implement it

• Implement the least number of domains possible• Implement only one domain on most small

networks• When an organization is planning to reorganize,

use OUs to reflect the organization’s structure • Create only the number of OUs that are

absolutely necessary

Container Guidelines (cont.)

• Do not build an Active Directory with more than 10 levels of OUs (one or two levels is preferable)

• Use domains as partitions in forests to demarcate commonly associated accounts and resources governed by group and security policies

• Implement multiple trees and forests only as necessary

• Use sites where there are multiple IP subnets and geographic locations to improve logon and replication performance

User Account Management

• Environments to set up and manage accounts– Through a standalone server without Active Directory:

• Use the Local Users and Group tool

– In a domain where Active Directory is installed:• Use the Active Directory Users and Computers tool

• Management tasks:– Creating an account– Disabling, enabling, and renaming accounts– Moving an account– Resetting a password– Deleting an account

It is easier to disable an old account, rename it, and enable the account with a new name than to delete the account and create a new one

Deleting an Account

• Delete accounts that are no longer in use– Provides for easier account management– Reduces the exposure to security risks

• When an account is deleted, the GUID is also deleted and is not reused

Security Group Management

• Group management eliminates repetitive steps in managing user and resource access

• The scope of a group determines its reach for gaining access to Active Directory objects

• Group types according to scope:– Local– Domain local– Global– Universal

• Group types according to use:– Security– Distribution

Implementing Local Groups

• Used on standalone servers that are not part of a domain

• Also used on member servers in a domain

• Scope does not go beyond the local server

• Divided on the basis of security access to the local server

• Created using the Local Users and Groups tool

Implementing Domain Local Groups

• Used on a single domain or to manage resources in a particular domain

• Gives global and universal groups from the same or other domains access to resources

• Usually placed in ACLs to give resource access to its members– Access control list (ACL) is a list of security privileges for a

particular object

• Scope is the domain in which the group exists• Can be converted to a universal group if:

– Other domain local groups are not contained within it– Domain is in Windows Server 2003 mode

Domain Functional Levels

• Determined by the type of servers in a domain• Three functional-level modes:

– Windows 2000 mixed mode• Combination of NT, 2000, and 2003 servers

– Windows 2000 native mode• Only 2000 and 2003 servers

– Windows 2003 mode• Only 2003 servers

• The default mode is either mixed or native– Change the mode through the Raise Functional

Level dialog box

Implementing Global Groups

• Intended to contain user accounts from a single domain• Used to manage group accounts in a domain so that

the accounts can access resources in the same domain and in other domains

• Can access resources in other domains through membership in other global, domain local, or universal groups

• Can contain user accounts and other global groups from the domain in which it was created

• Can be converted to a universal group with the same restrictions as domain local groups

Implementing Universal Groups

• Used to provide easy access to resources in any domain within a forest

• Membership can include user accounts, global groups, and universal groups from any domain

• Provides ability to manage security for single accounts with minimal effort

• Simplifies access when there are multiple domains• To create a universal group, it may be necessary to

convert the domain to Windows Server 2003 mode

Guidelines for Security Groups

• Use global groups to hold accounts as members• Keep nesting of global groups to a minimum• Give accounts access to resources by making

their global group members of other groups• Use domain local groups to provide access to

resources in a specific domain• Avoid placing accounts in domain local groups• Use universal groups to provide extensive

access to resources by placing them in ACLs

Properties of Groups

• General– Modify description, scope and type of group, and e-

mail addresses for a distribution group

• Members– Add or remove members from a group

• Member Of– Add or remove the group’s membership in another

group

• Managed by– Establish an account or group that manages the

group

Implementing User Profiles

• Local user profile– Stored on the local computer– Multiple users can use the same computer and

maintain customized settings

• Roaming profile– Downloaded to the client from the server– Same settings are available to users regardless of

the computer they log on

• Mandatory profile– Stored on the server– A user can modify, but not save settings

Summary

• Active Directory– Directory service that provides ways to manage resources in a

network

• Object– Most basic component in Active Directory– Defined through an information set called a schema

• Global catalog– Stores information about every object– Replicates key elements– Authenticates user logons

• Namespace– Uses the DNS namespace for name resolution– Active Directory requires a DNS server

Summary

• Active Directory hierarchy – Forest, trees, domains, organization units, and sites

• Active Directory design– Keep the structure as simple as possible

• User accounts– Customize account properties– Management tasks include disabling, enabling, renaming,

moving, and deleting accounts

• Security group management– Local, domain local, global, and universal groups

• User profiles– Used to customize accounts