1 / 49

Module 7 Active Directory and Account Management

Module 7 Active Directory and Account Management. Objectives. Explain the purpose of Active Directory and its key features Describe containers in Active Directory Understand user account management Explain security group management and implement security groups Implement user profiles.

Download Presentation

Module 7 Active Directory and Account Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Module 7Active Directory and Account Management

  2. Objectives • Explain the purpose of Active Directory and its key features • Describe containers in Active Directory • Understand user account management • Explain security group management and implement security groups • Implement user profiles

  3. Introduction to Active Directory • Directory service that houses information about all network resources • Centralized management allows for quick searches and access to resources • Hierarchical organization of elements provides the ability to control user access • Used in Windows 2000 Server and Server 2003 • Windows NT Servers use the SAM database • Active Directory improves on SAM by: • Providing complete management of all resources • Allowing writeable copies on all domain controllers

  4. Active Directory Terminology • Object • Network resource defined in a domain • Has distinct attributes and properties • Container • An object that holds other objects • Domain • A fundamental container that holds a group of resource objects • Domain controller (DC) • A Windows 2003 server that contains a full copy of the Active Directory information

  5. Replication in Active Directory • Multimaster replication • Any change on one DC is replicated to all other DCs • If one DC fails, there is no visible network interruption • Replication can be set to occur at preset intervals instead of as soon as update occurs • Network traffic due to replications is reduced by: • Replicating individual properties instead of entire accounts • Replicating based on the speed of the network link • Replicate more frequently over a LAN than a WAN

  6. Installing Active Directory • Make a Windows 2003 server a DC by installing Active Directory • A DNS server must be available to complete installation

  7. Schema • Defines the object classes and their attributes that can be contained in Active Directory • Each object class contains a globally unique identifier (GUID) • Unique number associated with an object name • An object class may have required and optional attributes • Each attribute is given a version number and date when created or modified • Allows updates on only that value in all DCs • Windows Server 2003 has several default object classes

  8. Global Catalog • Stores information about every object within a forest • Full replicas of objects in its own domain and partial replicas of objects in other domains • Authenticates users when they log on • Provides lookup and access to all resources in all domains • Provides replication of key Active Directory elements • Keeps a copy of the most used object attributes for quick access

  9. Namespace • A logical area on a network that contains directory services and named objects • Performs name resolution through a DNS server in its designated DNS namespace • Active Directory must be able to access a DNS server on the network • DNS and Active Directory namespaces can be on a single computer or be distributed across several servers • Two types of namespaces: • In contiguous namespace, the child object contains the name of the parent object • In a disjointed namespace, the child name does not resemble the parent name

  10. Containers in Active Directory • Hierarchical elements arranged in a treelike structure • Containers in Active Directory include: • Forests • Trees • Domains • Organizational units • Sites

  11. Forests • Highest level container that consists of one or more trees in a common relationship • The trees can use a disjointed namespace • All trees use the same schema • All trees use the same global catalog • Domains enable administration of commonly associated objects • Two-way transitive trusts between domains

  12. Trust relationships • Two-way trust • Members of each domain can have access to the resources of the other • Transitive trust • If A and B have a trust and B and C have a trust, A and C automatically have a trust • Kerberos transitive trust relationship • A two-way transitive trust using Kerberos security techniques • Forest trust • A Kerberos transitive trust between root domains of forests in Windows Server 2003 forests

  13. Trees • Contain one or more domains that are in a common relationship • Domains are in a contiguous namespace and can be in a hierarchy • All domains share a portion of their namespace • Parent and child domains are in a Kerberos transitive trust relationship • All domains use the same schema for all types of common objects • All domains use the same global catalog

  14. Domain • Primary container of a group of objects • Provides a partition in which to house objects that have a common relationship • Partitions reflect management and security relationships • Establishes a set of information to be replicated from one DC to another • Expedites management of a set of objects

  15. Organizational Unit • Grouping of objects within a domain • Enables the delegation of server administration roles • Groups objects according to management tasks • Provides the ability to administer objects with Group Policies • Groups objects with similar security access • Can be nested within other OUs

  16. Site • Groups objects by physical location to identify the fastest route between clients and servers and between DCs • Reflects one or more interconnected subnets • Is used for DC replication • Sets up redundant paths between DCs • Coordinates replication between sites with a bridgehead server • Enables a client to access the DC that is physically closest • Is composed of only two types of objects: • Servers • Configuration objects

  17. Container Guidelines • Keep Active Directory as simple as possible and plan its structure before you implement it • Implement the least number of domains possible • Implement only one domain on most small networks • When an organization is planning to reorganize, use OUs to reflect the organization’s structure • Create only the number of OUs that are absolutely necessary

  18. Container Guidelines (cont.) • Do not build an Active Directory with more than 10 levels of OUs (one or two levels is preferable) • Use domains as partitions in forests to demarcate commonly associated accounts and resources governed by group and security policies • Implement multiple trees and forests only as necessary • Use sites where there are multiple IP subnets and geographic locations to improve logon and replication performance

  19. User Account Management • Environments to set up and manage accounts • Through a standalone server without Active Directory: • Use the Local Users and Group tool • In a domain where Active Directory is installed: • Use the Active Directory Users and Computers tool • Management tasks: • Creating an account • Disabling, enabling, and renaming accounts • Moving an account • Resetting a password • Deleting an account

  20. It is easier to disable an old account, rename it, and enable the account with a new name than to delete the account and create a new one

  21. Deleting an Account • Delete accounts that are no longer in use • Provides for easier account management • Reduces the exposure to security risks • When an account is deleted, the GUID is also deleted and is not reused

  22. Security Group Management • Group management eliminates repetitive steps in managing user and resource access • The scope of a group determines its reach for gaining access to Active Directory objects • Group types according to scope: • Local • Domain local • Global • Universal • Group types according to use: • Security • Distribution

  23. Implementing Local Groups • Used on standalone servers that are not part of a domain • Also used on member servers in a domain • Scope does not go beyond the local server • Divided on the basis of security access to the local server • Created using the Local Users and Groups tool

  24. Implementing Domain Local Groups • Used on a single domain or to manage resources in a particular domain • Gives global and universal groups from the same or other domains access to resources • Usually placed in ACLs to give resource access to its members • Access control list (ACL) is a list of security privileges for a particular object • Scope is the domain in which the group exists • Can be converted to a universal group if: • Other domain local groups are not contained within it • Domain is in Windows Server 2003 mode

  25. Domain Functional Levels • Determined by the type of servers in a domain • Three functional-level modes: • Windows 2000 mixed mode • Combination of NT, 2000, and 2003 servers • Windows 2000 native mode • Only 2000 and 2003 servers • Windows 2003 mode • Only 2003 servers • The default mode is either mixed or native • Change the mode through the Raise Functional Level dialog box

  26. Implementing Global Groups • Intended to contain user accounts from a single domain • Used to manage group accounts in a domain so that the accounts can access resources in the same domain and in other domains • Can access resources in other domains through membership in other global, domain local, or universal groups • Can contain user accounts and other global groups from the domain in which it was created • Can be converted to a universal group with the same restrictions as domain local groups

  27. Implementing Universal Groups • Used to provide easy access to resources in any domain within a forest • Membership can include user accounts, global groups, and universal groups from any domain • Provides ability to manage security for single accounts with minimal effort • Simplifies access when there are multiple domains • To create a universal group, it may be necessary to convert the domain to Windows Server 2003 mode

  28. Guidelines for Security Groups • Use global groups to hold accounts as members • Keep nesting of global groups to a minimum • Give accounts access to resources by making their global group members of other groups • Use domain local groups to provide access to resources in a specific domain • Avoid placing accounts in domain local groups • Use universal groups to provide extensive access to resources by placing them in ACLs

  29. Properties of Groups • General • Modify description, scope and type of group, and e-mail addresses for a distribution group • Members • Add or remove members from a group • Member Of • Add or remove the group’s membership in another group • Managed by • Establish an account or group that manages the group

  30. Implementing User Profiles • Local user profile • Stored on the local computer • Multiple users can use the same computer and maintain customized settings • Roaming profile • Downloaded to the client from the server • Same settings are available to users regardless of the computer they log on • Mandatory profile • Stored on the server • A user can modify, but not save settings

  31. Summary • Active Directory • Directory service that provides ways to manage resources in a network • Object • Most basic component in Active Directory • Defined through an information set called a schema • Global catalog • Stores information about every object • Replicates key elements • Authenticates user logons • Namespace • Uses the DNS namespace for name resolution • Active Directory requires a DNS server

  32. Summary • Active Directory hierarchy • Forest, trees, domains, organization units, and sites • Active Directory design • Keep the structure as simple as possible • User accounts • Customize account properties • Management tasks include disabling, enabling, renaming, moving, and deleting accounts • Security group management • Local, domain local, global, and universal groups • User profiles • Used to customize accounts

More Related