Administering Active Directory Chapter 3 Administering Active Directory

Objectives Create and modify Active Directory objects such as organizational units, users, computers, and groups Identify and troubleshoot Active Directory group types and scopes Administer Active Directory object permissions Manage and troubleshoot Active Directory replication

Administering Active Directory Objects Types of objects stored in the Active Directory database: Container object Used to contain and organize related objects within the Active Directory hierarchy Can consist of other child containers or leaf objects Example: organizational unit (OU) Leaf object Represents resources within a selected domain Stored within a container Cannot contain other objects Examples: user object, computer object

Administering Active Directory Objects (Continued) Administrative Tools menu Contains a number of management tools, such as Active Directory Users and Computers Active Directory Sites and Services Active Directory Domains and Trusts

Exploring Active Directory Users and Computers MMC application with the filename of Dsa.msc Primary administration tool used to manage the following within an Active Directory domain Users Groups OUs Published information One of the tools used to create and manage Group Policy objects

Viewing the Active Directory Users and Computers console

Exploring Active Directory Users and Computers (Continued) Default container objects Several container objects are automatically created when a Windows Server 2003 server is promoted to domain controller Active Directory Users and Computers can create a number of objects within a domain

Purpose of the default container objects in Active Directory

Objects available in Active Directory Users and Computers

Creating Organizational Units Organizational unit (OU) A logical container that contains other objects, such as Users Groups Computers Published resources Other OUs Can only consist of objects from its home domain Main reason to create an OU Organize and partition a single domain into logical administrative units

Creating Organizational Units (Continued) Things to keep in mind when designing an OU structure Administrative delegation Group Policy Goal in designing a domain The domain should be Logically organized Easy to administer Easy to control

Creating New User Accounts User account object Represents all the information that defines a physical user with access permissions to the network Can assist in the administration and security of the network by making it possible to: Require authentication of anyone connecting to network Control access to network resources such as shared folders or printers Monitor access to resources by auditing actions performed by a user logged on with a specific account

Creating a new user object

Creating New User Accounts (Continued) Standards on the elements of a user object might include Establishing a naming convention Controlling password ownership Including additional required attributes A number of initial account settings can be configured when creating a user account, such as Whether a user’s password ever expires If the account should initially be disabled

Initial account policy options for a new user account

Creating New User Accounts (Continued) Once a user account is created, a number of additional tasks and attributes can be applied, such as: Copy Add to a Group Disable Account Reset Password Move Open Home Page Send Mail Properties

Creating New User Accounts (Continued) To view and modify user account attributes Right-click the user account, then Click Properties Properties dialog box of a user account Tabs allow you to Add specific information, or Enable specific functionality for the user account

Properties of a user account object

Creating Computer Accounts An Active Directory object Can be created in two primary ways: During initial installation of client operating system Preconfigured in Active Directory before client installation

Creating a new computer object

Moving Active Directory Objects Objects created within the Active Directory Users and Computers console can be moved between containers within the same domain Containers that cannot be moved: Builtin Computers Domain Controllers ForeignSecurityPrincipals Users The default local groups found in the Builtin container cannot be moved

Creating Group Objects Windows Server 2003 group Container object Used to organize collection of users, computers, contacts, or other groups into a single security principal Simplifies administration Rights and resource permissions can be assigned to a group rather than to individual users

Creating Group Objects (Continued) Groups and OUs Similarity Both are used to organize other objects into logical containers Differences Permissions and rights OUs are not security principals and as such cannot be used to define permissions on resources or be assigned rights Active Directory security groups are security principals that can be assigned both permissions and rights

Creating Group Objects (Continued) Objects that they can contain OUs can only contain objects from their parent domain Some groups can contain objects from any domain within the forest

Group Types Windows Server 2003 allows two group types: Distribution group Typically used with applications to provide a list of users (Microsoft Exchange) Cannot be used to assign access permissions Does not have associated SID Cannot be listed in in discretionary access control lists (DACLs) used to define permissions on resources and objects. Security group Primarily used to grant access Defined by Security Identifier (SID) Can be listed in DACLs. Can also be used like a distribution group for e-mail, if the group has an e-mail address assigned

Group Scopes Group scope The logical boundary within which a group can be assigned permissions to a specific resource within the domain or forest Security and distribution groups in Active Directory can be assigned one of three possible scopes Global Domain local Universal

Global A global group Can be assigned permissions to any resource in any domain within the forest Can only contain members of the same domain in which it is created Mainly used to organize user objects into logical groupings according to function(role, task, or title).

Domain Local A domain local group Can only be assigned permissions to a resource available in the local domain in which it is created Group membership can come from any domain within the forest Mainly used to assign access permissions to a resource

Universal A universal group Can be assigned permissions to any resource in any domain within the forest Purpose: Used to organize users or groups of users in global groups. Implemented via GC Replication traffic limits usability Solution? Differences between universal and global groups A universal group can consist of user objects from any domain in the forest; global groups can only consist of user objects from the same domain Universal groups are only available when a domain is configured in Windows 2000 native mode or the Windows Server 2003 functional level

Windows Server 2003 group summary

Creating Group Objects Steps to create group objects in Active Directory Decide in which container object the group should be created Choose an appropriate group name, scope, and type To create universal groups A domain must be switched to native mode

Modifying Group Memberships Membership can be added once a group object is created Depending upon which type of group is created, Windows Server 2003 groups can possibly contain Users Contacts Other groups Computers

Adding or modifying memberships

Changing a Group Scope A group can change its scope as long as group’s membership rules are not violated Rules for changing group scopes You can only change a global group to a universal group as long as it is not a member of another global group You can only change a domain local group to a universal group as long as it does not contain any other domain local groups as a member

Understanding the Built-in Local Groups Built-in local security groups Have various preassigned rights Can be used to allow users to perform certain network tasks Ease the implementation of delegation and security rights throughout the network Found in Builtin container Built-in global groups Found in Users container

Local groups and their rights

Viewing built-in global groups

Managing Security Groups User Accounts Acronym A G U DL P can be used to implement the use of security groups Create user Accounts, and organize them within Global groups Often users are grouped in global groups based on departments in the organization. Optional: Create Universal groups and place global groups from any domain within the universal groups. Global Groups A G Universal Groups U

Managing Security Groups (Continued) Domain Local Groups Create Domain Local groups that represent the resources in which you want to control access and add the global or universal groups to the domain local groups 4. Assign Permissions to the domain local groups DL Permissions P

GROUPS AND THEIR USERS The access token is built during the logon process. The access token is compared to entries in the Access Control List (ACL) of resources, called Access Control Entries (ACEs). The user is allowed to access the resource based upon group membership. Multiple users can gain access to a single resource or to obtain a group of permissions, such as changing the system time, shutting down the computer, and so on, just by being a member of a group. The access token is built during the logon process. The access token is compared to entries in the Access Control List (ACL) of resources, called Access Control Entries (ACEs). The user is allowed to access the resource based upon group membership.

GROUP NESTING: WINDOWS 2000 NATIVE OR LATER DOMAIN FUNCTIONAL LEVEL create groups that hold other groups. This allows you to further organize or separate your administrative hierarchy. You can use additional groups, which are either global or universal, to create groups that hold other groups. This allows you to further organize or separate your administrative hierarchy. The broken arrows in this diagram illustrate some of the options for nesting groups.

Administering Permissions in Active Directory Active Directory uses permissions to protect the creation, deletion, or viewing of objects within the database By default, administrators have full access to all objects within the domain Users are given the initial permission to read most attributes of the objects stored in the database

Active Directory Object Permissions Active Directory objects can be assigned permissions at two levels: Object-level permissions Define which types of objects a user or group can view, create, delete, or modify within Active Directory Can be applied according to a preconfigured set of standard permissions Attribute-level permissions Define which attributes of a certain object a user or group can view or modify within Active Directory

Common standard permissions available in Windows Server 2003 Active Directory

Permission Inheritance By default, all child objects inside a container object inherit permissions from parent objects Permission inheritance and careful planning can eliminate the need to assign permissions to Every container object, or Every object inside a container The default inheritance of permissions can be modified by blocking the inheritance at a container or object level

Delegating Authority Over Active Directory Objects Steps to delegate the administration of Active Directory Design OU structure so that the administration work can be distributed Configure the appropriate level of administrative permissions for each administrator Delegation of Control Wizard Guides you through the process of determining the permissions that you want to delegate Configures permissions for the object and child objects

Delegating an administrative task in Active Directory

Managing Active Directory Replication The process of directory data being synchronized and maintained between domain controllers throughout the domain Multi-master replication model Used by Windows Server 2003 Multiple domain controllers have the authority to update and replicate database changes to each domain controller Provides a level of fault tolerance

Managing Active Directory Replication Domain Controller B Domain Controller C Domain Controller A Multimaster Replication

Replication Components and Processes When an object is created, deleted, or modified, replication has to take place among all domain controllers within the domain Originating update Initial modification to the database on a specific domain controller Replicated updates All synchronized copies sent to other domain controllers Replication latency Time that it takes to replicate an update to another domain controller

How Replication Works Replication Add Modify Move Delete Active Directory Update Replication Originating Update Domain Controller A Domain Controller B Domain Controller C Replicated Update Add Modify Move Delete

Replication Latency Replication Default Replication Latency (initial change notification delay + subsequent notification delay ) = 15 sec + 3 sec When No Changes, Scheduled Replication = One Hour Urgent Replication = Immediate Change Notification Replicated Update Change Notification Domain Controller B Replication Originating Update Domain Controller A Change Notification Replicated Update Domain Controller C

Identifying Replication Problems Three main areas that can cause potential conflict within the database Attribute value errors Occur when the same attribute of an object is edited at the same time on two different domain controllers Placing objects within containers marked for deletion Occurs when one administrator deletes a container, while another administrator creates an object or moves an object into the deleted container before replication takes place

Identifying Replication Problems (Continued) Sibling name errors Occur if two administrators concurrently create an object with the same relative distinguished name on two different domain controllers To help resolve possible conflicts Active Directory applies unique stamps to every attribute that is replicated

Resolving Replication Conflicts Domain Controller A Domain Controller B Stamp Stamp Originating Update Originating Update Conflict Conflict Version Number Timestamp Server GUID Stamp

Identifying Replication Problems Tools that can assist in viewing replication information or diagnosing replication problems Event Viewer DCDIAG Replication Monitor

Summary Active Directory Users and Computers Primary tool used to manage users, groups, OUs, and published information within a domain Main goal when designing an OU structure A granular structure that meets the group policy and delegation needs of the organization Possible standards regarding user accounts Establishing a naming convention Determining password ownership Determining which attributes are required

Summary (Continued) A computer account Can be created automatically during the initial client installation of the operating system Can be preconfigured in Active Directory before the initial installation Types of groups in Windows Server 2003 Security groups Distribution groups Possible group scopes Domain local Global Universal

Summary (Continued) Acronym A G U DL P Can be used when implementing the use of security groups Active Directory permissions can be assigned at Object level Attribute level Delegation of Control Wizard Simplifies the process of applying and delegating Active Directory object permissions

Summary (Continued) Main replication problems Attribute-level conflicts Sibling name conflicts Creating or moving objects to deleted containers