Module 7 Active Directory and Account Management

Objectives Explain the purpose of Active Directory and its key features Describe containers in Active Directory Understand user account management Explain security group management and implement security groups Implement user profiles

Introduction to Active Directory Directory service that houses information about all network resources Centralized management allows for quick searches and access to resources Hierarchical organization of elements provides the ability to control user access Used in Windows 2000 Server and Server 2003 –Windows NT Servers use the SAM database –Active Directory improves on SAM by: Providing complete management of all resources Allowing writeable copies on all domain controllers

Active Directory Terminology Object –Network resource defined in a domain –Has distinct attributes and properties Container –An object that holds other objects Domain –A fundamental container that holds a group of resource objects Domain controller (DC) –A Windows 2003 server that contains a full copy of the Active Directory information

Replication in Active Directory Multimaster replication –Any change on one DC is replicated to all other DCs –If one DC fails, there is no visible network interruption Replication can be set to occur at preset intervals instead of as soon as update occurs Network traffic due to replications is reduced by: –Replicating individual properties instead of entire accounts –Replicating based on the speed of the network link Replicate more frequently over a LAN than a WAN

Installing Active Directory Make a Windows 2003 server a DC by installing Active Directory A DNS server must be available to complete installation

Schema Defines the object classes and their attributes that can be contained in Active Directory Each object class contains a globally unique identifier (GUID) –Unique number associated with an object name An object class may have required and optional attributes Each attribute is given a version number and date when created or modified –Allows updates on only that value in all DCs Windows Server 2003 has several default object classes

Global Catalog Stores information about every object within a forest –Full replicas of objects in its own domain and partial replicas of objects in other domains Authenticates users when they log on Provides lookup and access to all resources in all domains Provides replication of key Active Directory elements Keeps a copy of the most used object attributes for quick access

Namespace A logical area on a network that contains directory services and named objects Performs name resolution through a DNS server in its designated DNS namespace Active Directory must be able to access a DNS server on the network DNS and Active Directory namespaces can be on a single computer or be distributed across several servers Two types of namespaces: –In contiguous namespace, the child object contains the name of the parent object –In a disjointed namespace, the child name does not resemble the parent name

Containers in Active Directory Hierarchical elements arranged in a treelike structure Containers in Active Directory include: –Forests –Trees –Domains –Organizational units –Sites

Forests Highest level container that consists of one or more trees in a common relationship The trees can use a disjointed namespace All trees use the same schema All trees use the same global catalog Domains enable administration of commonly associated objects Two-way transitive trusts between domains

Trust relationships Two-way trust –Members of each domain can have access to the resources of the other Transitive trust –If A and B have a trust and B and C have a trust, A and C automatically have a trust Kerberos transitive trust relationship –A two-way transitive trust using Kerberos security techniques Forest trust –A Kerberos transitive trust between root domains of forests in Windows Server 2003 forests

Trees Contain one or more domains that are in a common relationship Domains are in a contiguous namespace and can be in a hierarchy –All domains share a portion of their namespace Parent and child domains are in a Kerberos transitive trust relationship All domains use the same schema for all types of common objects All domains use the same global catalog

Domain Primary container of a group of objects Provides a partition in which to house objects that have a common relationship –Partitions reflect management and security relationships Establishes a set of information to be replicated from one DC to another Expedites management of a set of objects

Organizational Unit Grouping of objects within a domain Enables the delegation of server administration roles –Groups objects according to management tasks Provides the ability to administer objects with Group Policies –Groups objects with similar security access Can be nested within other OUs

Site Groups objects by physical location to identify the fastest route between clients and servers and between DCs Reflects one or more interconnected subnets Is used for DC replication –Sets up redundant paths between DCs –Coordinates replication between sites with a bridgehead server Enables a client to access the DC that is physically closest Is composed of only two types of objects: –Servers –Configuration objects

Container Guidelines Keep Active Directory as simple as possible and plan its structure before you implement it Implement the least number of domains possible Implement only one domain on most small networks When an organization is planning to reorganize, use OUs to reflect the organization’s structure Create only the number of OUs that are absolutely necessary

Container Guidelines (cont.) Do not build an Active Directory with more than 10 levels of OUs (one or two levels is preferable) Use domains as partitions in forests to demarcate commonly associated accounts and resources governed by group and security policies Implement multiple trees and forests only as necessary Use sites where there are multiple IP subnets and geographic locations to improve logon and replication performance

User Account Management Environments to set up and manage accounts –Through a standalone server without Active Directory: Use the Local Users and Group tool –In a domain where Active Directory is installed: Use the Active Directory Users and Computers tool Management tasks: –Creating an account –Disabling, enabling, and renaming accounts –Moving an account –Resetting a password –Deleting an account

It is easier to disable an old account, rename it, and enable the account with a new name than to delete the account and create a new one

Deleting an Account Delete accounts that are no longer in use –Provides for easier account management –Reduces the exposure to security risks When an account is deleted, the GUID is also deleted and is not reused

Security Group Management Group management eliminates repetitive steps in managing user and resource access The scope of a group determines its reach for gaining access to Active Directory objects Group types according to scope: –Local –Domain local –Global –Universal Group types according to use: –Security –Distribution

Implementing Local Groups Used on standalone servers that are not part of a domain Also used on member servers in a domain Scope does not go beyond the local server Divided on the basis of security access to the local server Created using the Local Users and Groups tool

Implementing Domain Local Groups Used on a single domain or to manage resources in a particular domain Gives global and universal groups from the same or other domains access to resources Usually placed in ACLs to give resource access to its members –Access control list (ACL) is a list of security privileges for a particular object Scope is the domain in which the group exists Can be converted to a universal group if: – Other domain local groups are not contained within it – Domain is in Windows Server 2003 mode

Domain Functional Levels Determined by the type of servers in a domain Three functional-level modes: –Windows 2000 mixed mode Combination of NT, 2000, and 2003 servers –Windows 2000 native mode Only 2000 and 2003 servers –Windows 2003 mode Only 2003 servers The default mode is either mixed or native –Change the mode through the Raise Functional Level dialog box

Implementing Global Groups Intended to contain user accounts from a single domain Used to manage group accounts in a domain so that the accounts can access resources in the same domain and in other domains Can access resources in other domains through membership in other global, domain local, or universal groups Can contain user accounts and other global groups from the domain in which it was created Can be converted to a universal group with the same restrictions as domain local groups

Implementing Universal Groups Used to provide easy access to resources in any domain within a forest Membership can include user accounts, global groups, and universal groups from any domain Provides ability to manage security for single accounts with minimal effort Simplifies access when there are multiple domains To create a universal group, it may be necessary to convert the domain to Windows Server 2003 mode

Guidelines for Security Groups Use global groups to hold accounts as members Keep nesting of global groups to a minimum Give accounts access to resources by making their global group members of other groups Use domain local groups to provide access to resources in a specific domain Avoid placing accounts in domain local groups Use universal groups to provide extensive access to resources by placing them in ACLs

Properties of Groups General –Modify description, scope and type of group, and addresses for a distribution group Members –Add or remove members from a group Member Of –Add or remove the group’s membership in another group Managed by –Establish an account or group that manages the group

Implementing User Profiles Local user profile –Stored on the local computer –Multiple users can use the same computer and maintain customized settings Roaming profile –Downloaded to the client from the server –Same settings are available to users regardless of the computer they log on Mandatory profile –Stored on the server –A user can modify, but not save settings

Summary Active Directory –Directory service that provides ways to manage resources in a network Object –Most basic component in Active Directory –Defined through an information set called a schema Global catalog –Stores information about every object –Replicates key elements –Authenticates user logons Namespace –Uses the DNS namespace for name resolution –Active Directory requires a DNS server

Summary Active Directory hierarchy –Forest, trees, domains, organization units, and sites Active Directory design –Keep the structure as simple as possible User accounts –Customize account properties –Management tasks include disabling, enabling, renaming, moving, and deleting accounts Security group management –Local, domain local, global, and universal groups User profiles –Used to customize accounts