1 / 53

Administering Active Directory

2. Objectives. Create and modify Active Directory objects such as organizational units, users, computers, and groupsIdentify and troubleshoot Active Directory group types and scopesAdminister Active Directory object permissionsManage and troubleshoot Active Directory replication. 3. Administering

brody
Download Presentation

Administering Active Directory

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Chapter 3 Administering Active Directory

    2. 2 Objectives Create and modify Active Directory objects such as organizational units, users, computers, and groups Identify and troubleshoot Active Directory group types and scopes Administer Active Directory object permissions Manage and troubleshoot Active Directory replication

    3. 3 Administering Active Directory Objects Types of objects stored in the Active Directory database: Container object Used to contain and organize related objects within the Active Directory hierarchy Can consist of other child containers or leaf objects Example: organizational unit (OU) Leaf object Represents resources within a selected domain Stored within a container Cannot contain other objects Examples: user object, computer object

    4. 4 Administering Active Directory Objects (Continued) Administrative Tools menu Contains a number of management tools, such as Active Directory Users and Computers Active Directory Sites and Services Active Directory Domains and Trusts

    5. 5 Exploring Active Directory Users and Computers Active Directory Users and Computers MMC application with the filename of Dsa.msc Primary administration tool used to manage the following within an Active Directory domain Users Groups OUs Published information One of the tools used to create and manage Group Policy objects

    6. 6 Viewing the Active Directory Users and Computers console

    7. 7 Exploring Active Directory Users and Computers (Continued) Default container objects Several container objects are automatically created when a Windows Server 2003 server is promoted to domain controller Active Directory Users and Computers can create a number of objects within a domain

    8. 8 Purpose of the default container objects in Active Directory

    9. 9 Objects available in Active Directory Users and Computers

    10. 10 Creating Organizational Units Organizational unit (OU) A logical container that contains other objects, such as Users Groups Computers Published resources Other OUs Can only consist of objects from its home domain Main reason to create an OU Organize and partition a single domain into logical administrative units

    11. 11 Creating Organizational Units (Continued) Things to keep in mind when designing an OU structure Administrative delegation Group Policy Goal in designing a domain The domain should be Logically organized Easy to administer Easy to control

    12. 12 Creating New User Accounts User account object Represents all the information that defines a physical user with access permissions to the network Can assist in the administration and security of the network by making it possible to: Require authentication of anyone connecting to network Control access to network resources such as shared folders or printers Monitor access to resources by auditing actions performed by a user logged on with a specific account

    13. 13 Creating a new user object

    14. 14 Creating New User Accounts (Continued) Standards on the elements of a user object might include Establishing a naming convention Controlling password ownership Including additional required attributes A number of initial account settings can be configured when creating a user account, such as Whether a user’s password ever expires If the account should initially be disabled

    15. 15 Initial account policy options for a new user account

    16. 16 Creating New User Accounts (Continued) Once a user account is created, a number of additional tasks and attributes can be applied, such as: Copy Add to a Group Disable Account Reset Password Move Open Home Page Send Mail Properties

    17. 17 Creating New User Accounts (Continued) To view and modify user account attributes Right-click the user account, then Click Properties Properties dialog box of a user account Tabs allow you to Add specific information, or Enable specific functionality for the user account

    18. 18 Properties of a user account object

    19. 19 Creating Computer Accounts Computer account An Active Directory object Can be created in two primary ways: During initial installation of client operating system Preconfigured in Active Directory before client installation

    20. 20 Creating a new computer object

    21. 21 Moving Active Directory Objects Objects created within the Active Directory Users and Computers console can be moved between containers within the same domain Containers that cannot be moved: Builtin Computers Domain Controllers ForeignSecurityPrincipals Users The default local groups found in the Builtin container cannot be moved

    22. 22 Creating Group Objects Windows Server 2003 group Container object Used to organize collection of users, computers, contacts, or other groups into a single security principal Simplifies administration Rights and resource permissions can be assigned to a group rather than to individual users

    23. 23 Creating Group Objects (Continued) Groups and OUs Similarity Both are used to organize other objects into logical containers Differences Permissions and rights OUs are not security principals and as such cannot be used to define permissions on resources or be assigned rights Active Directory security groups are security principals that can be assigned both permissions and rights

    24. 24 Creating Group Objects (Continued) Objects that they can contain OUs can only contain objects from their parent domain Some groups can contain objects from any domain within the forest

    25. 25 Group Types Windows Server 2003 allows two group types: Security group Defined by Security Identifier (SID) Can be listed in discretionary access control lists (DACLs) used to define permissions on resources and objects Distribution group Used solely for e-mail distribution Does not have associated SID Cannot be listed in DACLs used to define permissions on resources and objects

    26. 26 Group Scopes Group scope The logical boundary within which a group can be assigned permissions to a specific resource within the domain or forest Security and distribution groups in Active Directory can be assigned one of three possible scopes Global Domain local Universal

    27. 27 Global A global group Can be assigned permissions to any resource in any domain within the forest Can only contain members of the same domain in which it is created Mainly used to organize user objects into logical groupings according to function

    28. 28 Domain Local A domain local group Can only be assigned permissions to a resource available in the local domain in which it is created Group membership can come from any domain within the forest Mainly used to assign access permissions to a resource

    29. 29 Universal A universal group Can be assigned permissions to any resource in any domain within the forest Differences between universal and global groups A universal group can consist of user objects from any domain in the forest; global groups can only consist of user objects from the same domain Universal groups are only available when a domain is configured in Windows 2000 native mode or the Windows Server 2003 functional level

    30. 30 Windows Server 2003 group summary

    31. 31 Creating Group Objects Steps to create group objects in Active Directory Decide in which container object the group should be created Choose an appropriate group name, scope, and type To create universal groups A domain must be switched to native mode

    32. 32 Modifying Group Memberships Membership can be added once a group object is created Depending upon which type of group is created, Windows Server 2003 groups can possibly contain Users Contacts Other groups Computers

    33. 33 Adding or modifying memberships

    34. 34 Changing a Group Scope A group can change its scope as long as group’s membership rules are not violated Rules for changing group scopes You can only change a global group to a universal group as long as it is not a member of another global group You can only change a domain local group to a universal group as long as it does not contain any other domain local groups as a member

    35. 35 Understanding the Built-in Local Groups Built-in local security groups Have various preassigned rights Can be used to allow users to perform certain network tasks Ease the implementation of delegation and security rights throughout the network Found in Builtin container Built-in global groups Found in Users container

    36. 36 Local groups and their rights

    37. 37 Viewing built-in global groups

    38. 38 Managing Security Groups Acronym A G U DL P can be used to implement the use of security groups Create user Accounts, and organize them within Global groups Often users are grouped in global groups based on departments in the organization Optional: Create Universal groups and place global groups from any domain within the universal groups

    39. 39 Managing Security Groups (Continued) 3. Create Domain Local groups that represent the resources in which you want to control access and add the global or universal groups to the domain local groups 4. Assign Permissions to the domain local groups

    40. 40 Administering Permissions in Active Directory Active Directory uses permissions to protect the creation, deletion, or viewing of objects within the database By default, administrators have full access to all objects within the domain Users are given the initial permission to read most attributes of the objects stored in the database

    41. 41 Active Directory Object Permissions Active Directory objects can be assigned permissions at two levels: Object-level permissions Define which types of objects a user or group can view, create, delete, or modify within Active Directory Can be applied according to a preconfigured set of standard permissions Attribute-level permissions Define which attributes of a certain object a user or group can view or modify within Active Directory

    42. 42 Common standard permissions available in Windows Server 2003 Active Directory

    43. 43 Permission Inheritance By default, all child objects inside a container object inherit permissions from parent objects Permission inheritance and careful planning can eliminate the need to assign permissions to Every container object, or Every object inside a container The default inheritance of permissions can be modified by blocking the inheritance at a container or object level

    44. 44 Delegating Authority Over Active Directory Objects Steps to delegate the administration of Active Directory Design OU structure so that the administration work can be distributed Configure the appropriate level of administrative permissions for each administrator Delegation of Control Wizard Guides you through the process of determining the permissions that you want to delegate Configures permissions for the object and child objects

    45. 45 Delegating an administrative task in Active Directory

    46. 46 Managing Active Directory Replication Active Directory replication The process of directory data being synchronized and maintained between domain controllers throughout the domain Multi-master replication model Used by Windows Server 2003 Multiple domain controllers have the authority to update and replicate database changes to each domain controller Provides a level of fault tolerance

    47. 47 Replication Components and Processes When an object is created, deleted, or modified, replication has to take place among all domain controllers within the domain Originating update Initial modification to the database on a specific domain controller Replicated updates All synchronized copies sent to other domain controllers Replication latency Time that it takes to replicate an update to another domain controller

    48. 48 Identifying Replication Problems Three main areas that can cause potential conflict within the database Attribute value errors Occur when the same attribute of an object is edited at the same time on two different domain controllers Placing objects within containers marked for deletion Occurs when one administrator deletes a container, while another administrator creates an object or moves an object into the deleted container before replication takes place

    49. 49 Identifying Replication Problems (Continued) Sibling name errors Occur if two administrators concurrently create an object with the same relative distinguished name on two different domain controllers To help resolve possible conflicts Active Directory applies unique stamps to every attribute that is replicated Tools that can assist in viewing replication information or diagnosing replication problems Event Viewer DCDIAG Replication Monitor

    50. 50 Summary Active Directory Users and Computers Primary tool used to manage users, groups, OUs, and published information within a domain Main goal when designing an OU structure A granular structure that meets the group policy and delegation needs of the organization Possible standards regarding user accounts Establishing a naming convention Determining password ownership Determining which attributes are required

    51. 51 Summary (Continued) A computer account Can be created automatically during the initial client installation of the operating system Can be preconfigured in Active Directory before the initial installation Types of groups in Windows Server 2003 Security groups Distribution groups Possible group scopes Domain local Global Universal

    52. 52 Summary (Continued) Acronym A G U DL P Can be used when implementing the use of security groups Active Directory permissions can be assigned at Object level Attribute level Delegation of Control Wizard Simplifies the process of applying and delegating Active Directory object permissions

    53. 53 Summary (Continued) Main replication problems Attribute-level conflicts Sibling name conflicts Creating or moving objects to deleted containers

More Related