Presentation is loading. Please wait.

Presentation is loading. Please wait.

Administering Active Directory

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Administering Active Directory"— Presentation transcript:

1 Administering Active Directory
Chapter 3 Administering Active Directory

2 Objectives Create and modify Active Directory objects such as organizational units, users, computers, and groups Identify and troubleshoot Active Directory group types and scopes Administer Active Directory object permissions Manage and troubleshoot Active Directory replication

3 Administering Active Directory Objects
Types of objects stored in the Active Directory database: Container object Used to contain and organize related objects within the Active Directory hierarchy Can consist of other child containers or leaf objects Example: organizational unit (OU) Leaf object Represents resources within a selected domain Stored within a container Cannot contain other objects Examples: user object, computer object

4 Administering Active Directory Objects (Continued)
Administrative Tools menu Contains a number of management tools, such as Active Directory Users and Computers Active Directory Sites and Services Active Directory Domains and Trusts

5 Exploring Active Directory Users and Computers
MMC application with the filename of Dsa.msc Primary administration tool used to manage the following within an Active Directory domain Users Groups OUs Published information One of the tools used to create and manage Group Policy objects

6 Viewing the Active Directory Users and Computers console

7 Exploring Active Directory Users and Computers (Continued)
Default container objects Several container objects are automatically created when a Windows Server 2003 server is promoted to domain controller Active Directory Users and Computers can create a number of objects within a domain

8 Purpose of the default container objects in Active Directory

9 Objects available in Active Directory Users and Computers

10 Creating Organizational Units
Organizational unit (OU) A logical container that contains other objects, such as Users Groups Computers Published resources Other OUs Can only consist of objects from its home domain Main reason to create an OU Organize and partition a single domain into logical administrative units

11 Creating Organizational Units (Continued)
Things to keep in mind when designing an OU structure Administrative delegation Group Policy Goal in designing a domain The domain should be Logically organized Easy to administer Easy to control

12 Creating New User Accounts
User account object Represents all the information that defines a physical user with access permissions to the network Can assist in the administration and security of the network by making it possible to: Require authentication of anyone connecting to network Control access to network resources such as shared folders or printers Monitor access to resources by auditing actions performed by a user logged on with a specific account

13 Creating a new user object

14 Creating New User Accounts (Continued)
Standards on the elements of a user object might include Establishing a naming convention Controlling password ownership Including additional required attributes A number of initial account settings can be configured when creating a user account, such as Whether a user’s password ever expires If the account should initially be disabled

15 Initial account policy options for a new user account

16 Creating New User Accounts (Continued)
Once a user account is created, a number of additional tasks and attributes can be applied, such as: Copy Add to a Group Disable Account Reset Password Move Open Home Page Send Mail Properties

17 Creating New User Accounts (Continued)
To view and modify user account attributes Right-click the user account, then Click Properties Properties dialog box of a user account Tabs allow you to Add specific information, or Enable specific functionality for the user account

18 Properties of a user account object

19 Creating Computer Accounts
An Active Directory object Can be created in two primary ways: During initial installation of client operating system Preconfigured in Active Directory before client installation

20 Creating a new computer object

21 Moving Active Directory Objects
Objects created within the Active Directory Users and Computers console can be moved between containers within the same domain Containers that cannot be moved: Builtin Computers Domain Controllers ForeignSecurityPrincipals Users The default local groups found in the Builtin container cannot be moved

22 Creating Group Objects
Windows Server 2003 group Container object Used to organize collection of users, computers, contacts, or other groups into a single security principal Simplifies administration Rights and resource permissions can be assigned to a group rather than to individual users

23 Creating Group Objects (Continued)
Groups and OUs Similarity Both are used to organize other objects into logical containers Differences Permissions and rights OUs are not security principals and as such cannot be used to define permissions on resources or be assigned rights Active Directory security groups are security principals that can be assigned both permissions and rights

24 Creating Group Objects (Continued)
Objects that they can contain OUs can only contain objects from their parent domain Some groups can contain objects from any domain within the forest

25 Group Types Windows Server 2003 allows two group types:
Distribution group Typically used with applications to provide a list of users (Microsoft Exchange) Cannot be used to assign access permissions Does not have associated SID Cannot be listed in in discretionary access control lists (DACLs) used to define permissions on resources and objects. Security group Primarily used to grant access Defined by Security Identifier (SID) Can be listed in DACLs. Can also be used like a distribution group for , if the group has an address assigned

26 Group Scopes Group scope
The logical boundary within which a group can be assigned permissions to a specific resource within the domain or forest Security and distribution groups in Active Directory can be assigned one of three possible scopes Global Domain local Universal

27 Global A global group Can be assigned permissions to any resource in any domain within the forest Can only contain members of the same domain in which it is created Mainly used to organize user objects into logical groupings according to function(role, task, or title).

28 Domain Local A domain local group
Can only be assigned permissions to a resource available in the local domain in which it is created Group membership can come from any domain within the forest Mainly used to assign access permissions to a resource

29 Universal A universal group
Can be assigned permissions to any resource in any domain within the forest Purpose: Used to organize users or groups of users in global groups. Implemented via GC Replication traffic limits usability Solution? Differences between universal and global groups A universal group can consist of user objects from any domain in the forest; global groups can only consist of user objects from the same domain Universal groups are only available when a domain is configured in Windows 2000 native mode or the Windows Server 2003 functional level

30 Windows Server 2003 group summary

31 Creating Group Objects
Steps to create group objects in Active Directory Decide in which container object the group should be created Choose an appropriate group name, scope, and type To create universal groups A domain must be switched to native mode

32 Modifying Group Memberships
Membership can be added once a group object is created Depending upon which type of group is created, Windows Server 2003 groups can possibly contain Users Contacts Other groups Computers

33 Adding or modifying memberships

34 Changing a Group Scope A group can change its scope as long as group’s membership rules are not violated Rules for changing group scopes You can only change a global group to a universal group as long as it is not a member of another global group You can only change a domain local group to a universal group as long as it does not contain any other domain local groups as a member

35 Understanding the Built-in Local Groups
Built-in local security groups Have various preassigned rights Can be used to allow users to perform certain network tasks Ease the implementation of delegation and security rights throughout the network Found in Builtin container Built-in global groups Found in Users container

36 Local groups and their rights

37 Viewing built-in global groups

38 Managing Security Groups
User Accounts Acronym A G U DL P can be used to implement the use of security groups Create user Accounts, and organize them within Global groups Often users are grouped in global groups based on departments in the organization. Optional: Create Universal groups and place global groups from any domain within the universal groups. Global Groups A G Universal Groups U

39 Managing Security Groups (Continued)
Domain Local Groups Create Domain Local groups that represent the resources in which you want to control access and add the global or universal groups to the domain local groups 4. Assign Permissions to the domain local groups DL Permissions P

40 GROUPS AND THEIR USERS The access token is built during the logon process. The access token is compared to entries in the Access Control List (ACL) of resources, called Access Control Entries (ACEs). The user is allowed to access the resource based upon group membership. Multiple users can gain access to a single resource or to obtain a group of permissions, such as changing the system time, shutting down the computer, and so on, just by being a member of a group. The access token is built during the logon process. The access token is compared to entries in the Access Control List (ACL) of resources, called Access Control Entries (ACEs). The user is allowed to access the resource based upon group membership.

41 GROUP NESTING: WINDOWS 2000 NATIVE OR LATER DOMAIN FUNCTIONAL LEVEL
create groups that hold other groups. This allows you to further organize or separate your administrative hierarchy. You can use additional groups, which are either global or universal, to create groups that hold other groups. This allows you to further organize or separate your administrative hierarchy. The broken arrows in this diagram illustrate some of the options for nesting groups.

42 Administering Permissions in Active Directory
Active Directory uses permissions to protect the creation, deletion, or viewing of objects within the database By default, administrators have full access to all objects within the domain Users are given the initial permission to read most attributes of the objects stored in the database

43 Active Directory Object Permissions
Active Directory objects can be assigned permissions at two levels: Object-level permissions Define which types of objects a user or group can view, create, delete, or modify within Active Directory Can be applied according to a preconfigured set of standard permissions Attribute-level permissions Define which attributes of a certain object a user or group can view or modify within Active Directory

44 Common standard permissions available in Windows Server 2003 Active Directory

45 Permission Inheritance
By default, all child objects inside a container object inherit permissions from parent objects Permission inheritance and careful planning can eliminate the need to assign permissions to Every container object, or Every object inside a container The default inheritance of permissions can be modified by blocking the inheritance at a container or object level

46 Delegating Authority Over Active Directory Objects
Steps to delegate the administration of Active Directory Design OU structure so that the administration work can be distributed Configure the appropriate level of administrative permissions for each administrator Delegation of Control Wizard Guides you through the process of determining the permissions that you want to delegate Configures permissions for the object and child objects

47 Delegating an administrative task in Active Directory

48 Managing Active Directory Replication
The process of directory data being synchronized and maintained between domain controllers throughout the domain Multi-master replication model Used by Windows Server 2003 Multiple domain controllers have the authority to update and replicate database changes to each domain controller Provides a level of fault tolerance

49 Managing Active Directory Replication
Domain Controller B Domain Controller C Domain Controller A Multimaster Replication

50 Replication Components and Processes
When an object is created, deleted, or modified, replication has to take place among all domain controllers within the domain Originating update Initial modification to the database on a specific domain controller Replicated updates All synchronized copies sent to other domain controllers Replication latency Time that it takes to replicate an update to another domain controller

51 How Replication Works Replication Add Modify Move Delete
Active Directory Update Replication Originating Update Domain Controller A Domain Controller B Domain Controller C Replicated Update Add Modify Move Delete

52 Replication Latency Replication
Default Replication Latency (initial change notification delay + subsequent notification delay ) = 15 sec + 3 sec When No Changes, Scheduled Replication = One Hour Urgent Replication = Immediate Change Notification Replicated Update Change Notification Domain Controller B Replication Originating Update Domain Controller A Change Notification Replicated Update Domain Controller C

53 Identifying Replication Problems
Three main areas that can cause potential conflict within the database Attribute value errors Occur when the same attribute of an object is edited at the same time on two different domain controllers Placing objects within containers marked for deletion Occurs when one administrator deletes a container, while another administrator creates an object or moves an object into the deleted container before replication takes place

54 Identifying Replication Problems (Continued)
Sibling name errors Occur if two administrators concurrently create an object with the same relative distinguished name on two different domain controllers To help resolve possible conflicts Active Directory applies unique stamps to every attribute that is replicated

55 Resolving Replication Conflicts
Domain Controller A Domain Controller B Stamp Stamp Originating Update Originating Update Conflict Conflict Version Number Timestamp Server GUID Stamp

56 Identifying Replication Problems
Tools that can assist in viewing replication information or diagnosing replication problems Event Viewer DCDIAG Replication Monitor

57 Summary Active Directory Users and Computers
Primary tool used to manage users, groups, OUs, and published information within a domain Main goal when designing an OU structure A granular structure that meets the group policy and delegation needs of the organization Possible standards regarding user accounts Establishing a naming convention Determining password ownership Determining which attributes are required

58 Summary (Continued) A computer account
Can be created automatically during the initial client installation of the operating system Can be preconfigured in Active Directory before the initial installation Types of groups in Windows Server 2003 Security groups Distribution groups Possible group scopes Domain local Global Universal

59 Summary (Continued) Acronym A G U DL P
Can be used when implementing the use of security groups Active Directory permissions can be assigned at Object level Attribute level Delegation of Control Wizard Simplifies the process of applying and delegating Active Directory object permissions

60 Summary (Continued) Main replication problems
Attribute-level conflicts Sibling name conflicts Creating or moving objects to deleted containers

Download ppt "Administering Active Directory"

Similar presentations

By Rashid Khan Lesson 5-Directory Assistance: Administration Using Active Directory Users and Computers.

By Rashid Khan Lesson 5-Directory Assistance: Administration Using Active Directory Users and Computers.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Chapter 6 Introducing Active Directory

Chapter 6 Introducing Active Directory
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
6.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
10.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

10.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.
Chapter 4 Introduction to Active Directory and Account Management

Chapter 4 Introduction to Active Directory and Account Management
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.
7.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

Similar presentations

Ads by Google