Module 7 Active Directory and Account Management

1
Module 7Active Directory and Account Management
2
Objectives

• Explain the purpose of Active Directory and its
  key features
• Describe containers in Active Directory
• Understand user account management
• Explain security group management and implement
  security groups
• Implement user profiles

3
Introduction to Active Directory

• Directory service that houses information about
  all network resources
• Centralized management allows for quick searches
  and access to resources
• Hierarchical organization of elements provides
  the ability to control user access
• Used in Windows 2000 Server and Server 2003
• Windows NT Servers use the SAM database
• Active Directory improves on SAM by
• Providing complete management of all resources
• Allowing writeable copies on all domain
  controllers

4
(No Transcript)
5
Active Directory Terminology

• Object
• Network resource defined in a domain
• Has distinct attributes and properties
• Container
• An object that holds other objects
• Domain
• A fundamental container that holds a group of
  resource objects
• Domain controller (DC)
• A Windows 2003 server that contains a full copy
  of the Active Directory information

6
(No Transcript)
7
Replication in Active Directory

• Multimaster replication
• Any change on one DC is replicated to all other
  DCs
• If one DC fails, there is no visible network
  interruption
• Replication can be set to occur at preset
  intervals instead of as soon as update occurs
• Network traffic due to replications is reduced
  by
• Replicating individual properties instead of
  entire accounts
• Replicating based on the speed of the network
  link
• Replicate more frequently over a LAN than a WAN

8
Installing Active Directory

• Make a Windows 2003 server a DC by installing
  Active Directory
• A DNS server must be available to complete
  installation

9
Schema

• Defines the object classes and their attributes
  that can be contained in Active Directory
• Each object class contains a globally unique
  identifier (GUID)
• Unique number associated with an object name
• An object class may have required and optional
  attributes
• Each attribute is given a version number and date
  when created or modified
• Allows updates on only that value in all DCs
• Windows Server 2003 has several default object
  classes

10
(No Transcript)
11
Global Catalog

• Stores information about every object within a
  forest
• Full replicas of objects in its own domain and
  partial replicas of objects in other domains
• Authenticates users when they log on
• Provides lookup and access to all resources in
  all domains
• Provides replication of key Active Directory
  elements
• Keeps a copy of the most used object attributes
  for quick access

12
Namespace

• A logical area on a network that contains
  directory services and named objects
• Performs name resolution through a DNS server in
  its designated DNS namespace
• Active Directory must be able to access a DNS
  server on the network
• DNS and Active Directory namespaces can be on a
  single computer or be distributed across several
  servers
• Two types of namespaces
• In contiguous namespace, the child object
  contains the name of the parent object
• In a disjointed namespace, the child name does
  not resemble the parent name

13
Containers in Active Directory

• Hierarchical elements arranged in a treelike
  structure
• Containers in Active Directory include
• Forests
• Trees
• Domains
• Organizational units
• Sites

14
(No Transcript)
15
Forests

• Highest level container that consists of one or
  more trees in a common relationship
• The trees can use a disjointed namespace
• All trees use the same schema
• All trees use the same global catalog
• Domains enable administration of commonly
  associated objects
• Two-way transitive trusts between domains

16
(No Transcript)
17
Trust relationships

• Two-way trust
• Members of each domain can have access to the
  resources of the other
• Transitive trust
• If A and B have a trust and B and C have a trust,
  A and C automatically have a trust
• Kerberos transitive trust relationship
• A two-way transitive trust using Kerberos
  security techniques
• Forest trust
• A Kerberos transitive trust between root domains
  of forests in Windows Server 2003 forests

18
Trees

• Contain one or more domains that are in a common
  relationship
• Domains are in a contiguous namespace and can be
  in a hierarchy
• All domains share a portion of their namespace
• Parent and child domains are in a Kerberos
  transitive trust relationship
• All domains use the same schema for all types of
  common objects
• All domains use the same global catalog

19
(No Transcript)
20
Domain

• Primary container of a group of objects
• Provides a partition in which to house objects
  that have a common relationship
• Partitions reflect management and security
  relationships
• Establishes a set of information to be replicated
  from one DC to another
• Expedites management of a set of objects

21
(No Transcript)
22
Organizational Unit

• Grouping of objects within a domain
• Enables the delegation of server administration
  roles
• Groups objects according to management tasks
• Provides the ability to administer objects with
  Group Policies
• Groups objects with similar security access
• Can be nested within other OUs

23
(No Transcript)
24
Site

• Groups objects by physical location to identify
  the fastest route between clients and servers and
  between DCs
• Reflects one or more interconnected subnets
• Is used for DC replication
• Sets up redundant paths between DCs
• Coordinates replication between sites with a
  bridgehead server
• Enables a client to access the DC that is
  physically closest
• Is composed of only two types of objects
• Servers
• Configuration objects

25
(No Transcript)
26
Container Guidelines

• Keep Active Directory as simple as possible and
  plan its structure before you implement it
• Implement the least number of domains possible
• Implement only one domain on most small networks
• When an organization is planning to reorganize,
  use OUs to reflect the organizations structure
• Create only the number of OUs that are absolutely
  necessary

27
Container Guidelines (cont.)

• Do not build an Active Directory with more than
  10 levels of OUs (one or two levels is
  preferable)
• Use domains as partitions in forests to demarcate
  commonly associated accounts and resources
  governed by group and security policies
• Implement multiple trees and forests only as
  necessary
• Use sites where there are multiple IP subnets and
  geographic locations to improve logon and
  replication performance

28
User Account Management

• Environments to set up and manage accounts
• Through a standalone server without Active
  Directory
• Use the Local Users and Group tool
• In a domain where Active Directory is installed
• Use the Active Directory Users and Computers tool
• Management tasks
• Creating an account
• Disabling, enabling, and renaming accounts
• Moving an account
• Resetting a password
• Deleting an account

29
(No Transcript)
30
It is easier to disable an old account, rename
it, and enable the account with a new name than
to delete the account and create a new one
31
(No Transcript)
32
(No Transcript)
33
Deleting an Account

• Delete accounts that are no longer in use
• Provides for easier account management
• Reduces the exposure to security risks
• When an account is deleted, the GUID is also
  deleted and is not reused

34
Security Group Management

• Group management eliminates repetitive steps in
  managing user and resource access
• The scope of a group determines its reach for
  gaining access to Active Directory objects
• Group types according to scope
• Local
• Domain local
• Global
• Universal
• Group types according to use
• Security
• Distribution

35
Implementing Local Groups

• Used on standalone servers that are not part of a
  domain
• Also used on member servers in a domain
• Scope does not go beyond the local server
• Divided on the basis of security access to the
  local server
• Created using the Local Users and Groups tool

36
Implementing Domain Local Groups

• Used on a single domain or to manage resources in
  a particular domain
• Gives global and universal groups from the same
  or other domains access to resources
• Usually placed in ACLs to give resource access to
  its members
• Access control list (ACL) is a list of security
  privileges for a particular object
• Scope is the domain in which the group exists
• Can be converted to a universal group if
• Other domain local groups are not contained
  within it
• Domain is in Windows Server 2003 mode

37
(No Transcript)
38
Domain Functional Levels

• Determined by the type of servers in a domain
• Three functional-level modes
• Windows 2000 mixed mode
• Combination of NT, 2000, and 2003 servers
• Windows 2000 native mode
• Only 2000 and 2003 servers
• Windows 2003 mode
• Only 2003 servers
• The default mode is either mixed or native
• Change the mode through the Raise Functional
  Level dialog box

39
Implementing Global Groups

• Intended to contain user accounts from a single
  domain
• Used to manage group accounts in a domain so that
  the accounts can access resources in the same
  domain and in other domains
• Can access resources in other domains through
  membership in other global, domain local, or
  universal groups
• Can contain user accounts and other global groups
  from the domain in which it was created
• Can be converted to a universal group with the
  same restrictions as domain local groups

40
(No Transcript)
41
(No Transcript)
42
Implementing Universal Groups

• Used to provide easy access to resources in any
  domain within a forest
• Membership can include user accounts, global
  groups, and universal groups from any domain
• Provides ability to manage security for single
  accounts with minimal effort
• Simplifies access when there are multiple domains
• To create a universal group, it may be necessary
  to convert the domain to Windows Server 2003 mode

43
(No Transcript)
44
Guidelines for Security Groups

• Use global groups to hold accounts as members
• Keep nesting of global groups to a minimum
• Give accounts access to resources by making their
  global group members of other groups
• Use domain local groups to provide access to
  resources in a specific domain
• Avoid placing accounts in domain local groups
• Use universal groups to provide extensive access
  to resources by placing them in ACLs

45
Properties of Groups

• General
• Modify description, scope and type of group, and
  e-mail addresses for a distribution group
• Members
• Add or remove members from a group
• Member Of
• Add or remove the groups membership in another
  group
• Managed by
• Establish an account or group that manages the
  group

46
Implementing User Profiles

• Local user profile
• Stored on the local computer
• Multiple users can use the same computer and
  maintain customized settings
• Roaming profile
• Downloaded to the client from the server
• Same settings are available to users regardless
  of the computer they log on
• Mandatory profile
• Stored on the server
• A user can modify, but not save settings

47
(No Transcript)
48
Summary

• Active Directory
• Directory service that provides ways to manage
  resources in a network
• Object
• Most basic component in Active Directory
• Defined through an information set called a
  schema
• Global catalog
• Stores information about every object
• Replicates key elements
• Authenticates user logons
• Namespace
• Uses the DNS namespace for name resolution
• Active Directory requires a DNS server

49
Summary

• Active Directory hierarchy
• Forest, trees, domains, organization units, and
  sites
• Active Directory design
• Keep the structure as simple as possible
• User accounts
• Customize account properties
• Management tasks include disabling, enabling,
  renaming, moving, and deleting accounts
• Security group management
• Local, domain local, global, and universal groups
• User profiles
• Used to customize accounts