Administering Active Directory

About This Presentation

Title:

Administering Active Directory

Description:

To prevent an object from inheriting permissions from a parent folder, clear the ... When copying previously inherited permissions, the permissions for that object ... – PowerPoint PPT presentation

Number of Views:105

Avg rating:3.0/5.0

Slides: 88

Provided by: higheredM

Category:

more less

Transcript and Presenter's Notes

Title: Administering Active Directory

1
Administering Active Directory

Locating Active Directory Objects
Controlling Access to Active Directory Objects
Publishing Resources in Active Directory
Moving Active Directory Objects
Delegating Administrative Control of Active
Directory Objects
Backing Up Active Directory
Restoring Active Directory
Troubleshooting Active Directory

2
Locating Active Directory Objects

Understanding Common Active Directory Objects
Using Find
Practice Searching Active Directory

3
Locating Active Directory Objects Overview

Active Directory stores information about objects
on the network.
Each object is a distinct, named set of
attributes that represents a specific network
entity.
Active Directory is designed to provide
information to queries about directory objects
from both users and programs.

4
Common Object Types

User account
Contact
Group
Shared folder
Printer
Computer
Domain controllers
Organizational unit (OU)

5
Using Find to Locate Objects
6
Overview of Using Find

The Find dialog box is located in the
Administrative Tools folder of the Active
Directory Users and Computers console.
The Find dialog box provides options that allow
the global catalog to be searched for Active
Directory objects.
The Find dialog box helps create an LDAP query
that will be executed against the directory or a
specific OU.
The global catalog contains a partial replica of
the entire directory, so it stores information
about every object in a domain tree or forest.
Because the global catalog contains a partial
replica of the entire directory, users can find
information regardless of which domain in the
tree or forest contains the data.
Active Directory automatically generates the
contents of the global catalog from the domains
that make up the directory.

7
Controlling Access to Active Directory Objects

Understanding Active Directory Permissions
Assigning Active Directory Permissions
Using Permissions Inheritance
Preventing Permissions Inheritance
Practice Controlling Access to Active Directory
Objects

8
Access to Active Directory Objects Overview

Windows 2000 uses an object-based security model
to implement access control for all Active
Directory objects.
This security model is similar to the one that
Windows 2000 uses to implement NTFS.
Every Active Directory object has a security
descriptor that defines who has the permissions
to gain access to the object and what type of
access is allowed.
Windows 2000 uses these security descriptors to
control access to objects.

9
Active Directory Security

Permissions provide security for resources by
controlling who can gain access to individual
objects or object attributes and the type of
access allowed.
An administrator or the object owner must assign
permissions to the object before users can gain
access to the object.
An access control list (ACL) is a stored list of
user access permissions for every Active
Directory object.
An ACL for an object lists who can access the
object and the specific actions that each user
can perform on the object.
Permissions assign administrative privileges to a
specific user or group for an OU, a hierarchy of
OUs, or a single object, without assigning
administrative permissions for controlling other
Active Directory objects.

10
Object Permissions

The object type determines which permissions can
be selected.
Permissions vary for different object types.
A user can be a member of multiple groups, each
with different permissions that provide different
levels of access to objects.
When assigning a permission to a user for access
to an object, and that user is a member of a
group that is assigned a different permission,
the users effective permissions are the
combination of the user and group permissions.
Permissions can be allowed or denied.
Denied permissions take precedence over any
permissions that are otherwise allowed for user
accounts and groups.
Permissions should be denied only when it is
absolutely necessary to deny permission to a
specific user who is a member of a group with
allowed permissions.

11
Standard Permissions and Special Permissions

Both standard permissions and special permissions
can be set on objects.
Standard permissions are the most frequently
assigned permissions and are composed of special
permissions.
Special permissions provide a finer degree of
control for assigning access to objects.

12
Standard Object Permissions

Full Control Change permissions and take
ownership, plus perform the tasks allowed by all
other standard permissions
Read View objects and object attributes, the
object owner, and Active Directory permissions
Write Change object attributes
Create All Child Objects Add any type of child
object to an OU
Delete All Child Objects Remove any type of
object from an OU

13
Active Directory Permissions
14
Assigning Active Directory Permissions

The Active Directory Users and Computers console
is used to set standard permissions for objects
and attributes of objects.
The Security tab of the Properties dialog box for
the object is used to assign permissions.
The Properties dialog box is different for each
object type.
When the check boxes under Permissions are
shaded, the object has inherited permissions from
the parent object.
To prevent an object from inheriting permissions
from a parent folder, clear the Allow Inheritable
Permissions From Parent To Propagate To This
Object check box.
Special permissions are accessible through the
Advanced button.

15
Access Control Settings For Users Dialog Box
16
Permission Entry For Users Dialog Box
17
Inheriting Permissions and Blocking Inheritance
18
Using Permissions Inheritance

Similar to file and folder permissions
inheritance.
Minimizes the number of times permissions need to
be assigned for objects.
When permissions are assigned, applying the
permissions to child objects propagates the
permissions to all the child objects for a parent
object.
Shaded check boxes indicate which permissions are
inherited.

19
Using Permissions Inheritance (cont)

Permissions for a given object can be propagated
to all child objects.
Permissions inheritance can be prevented.
When copying previously inherited permissions,
the permissions for that object start out exactly
the same as those inherited from the current
parent object.
Any permissions for the parent object that are
modified after blocking inheritance no longer
apply.
When previously inherited permissions are
removed, Windows 2000 removes existing
permissions and assigns no additional permissions
to the object permissions must then be assigned
for the object.

20
Preventing Permissions Inheritance

Permissions inheritance can be prevented so that
a child object does not inherit permissions from
its parent object.
Clearing the Allow Inheritable Permissions From
Parent To Propagate To This Object check box,
located on the Security tab in the Properties
dialog box, prevents permissions inheritance.
Only the permissions that are explicitly assigned
to the object apply.

21
Actions Allowed When Permissions Inheritance is
Prevented

Copy previously inherited permissions to the
object
The new explicit permissions for the object are a
copy of the permissions that it previously
inherited from its parent object.
Any changes can be made to the permissions, as
needed.
Remove previously inherited permissions from the
object
Windows 2000 removes any previously inherited
permissions.
No permissions exist for the object.
Any permissions can be assigned for the object,
as needed.

22
Publishing Resources in Active Directory

Publishing Resources in Active Directory
Publishing Users and Computers
Publishing Shared Resources
Publishing Network Services

23
Overview of Publishing Resources

Administrators need to be able to provide secure
and selective publication of network resources to
network users and make it easy for users to find
information.
The directory stores this information for rapid
retrieval and integrates Windows 2000 security
mechanisms to control access.

24
Publishable Resources

Computers
Printers
Folders
Files
Network services

25
Users and Computers

User and computer accounts are added to the
directory using the Active Directory Users and
Computers console.
Information about the accounts that is useful for
other network users is published automatically.
Information, such as account security
information, is made available only to certain
administrator groups.

26
Shared Resources

Publishing information about shared resources,
such as printers, folders, and files, makes it
easy for users to find these resources on the
network.
Windows 2000 network printers are automatically
published in the directory when installed.
Information about Windows NT printers and shared
folders can be published in the directory using
the Active Directory Users and Computers console.

27
Network Services

Network-enabled services can be published in the
directory so that administrators can find and
administer them using the Active Directory Sites
and Services console.
A service, rather than computers or servers,
should be published.
Publishing a service allows administrators to
focus on managing the service regardless of which
computer is providing the service or where the
computer is located.
Additional services or applications can be
published in the directory using Active Directory
programming interfaces.
The qualities that make a service appropriate for
publishing may be better understood by
understanding how Active Directory uses services.

28
Binding Information

Allows clients to connect to services that do not
have well known bindings and that conform to a
service-centric model.
Publishing the bindings for these kinds of
services enables Windows 2000 to automatically
establish connections with services.
Machine-centric services are typically handled on
a service-by-service basis and should not be
published to the directory.

29
Configuration Information

Can be common across client applications.
Publishing configuration information allows the
distribution of current configuration information
for these applications to all clients in the
domain.
Accessed by client applications as needed, which
eases application configuration for users and
gives more control over application behaviors.

30
Characteristics of Service Information

Useful to many clients
Relatively stable and unchanging
Well-defined, reasonable properties

31
Moving Active Directory Objects

Moving Objects
Moving Objects Within a Domain
Moving Objects Between Domains
Moving Workstations or Member Servers Between
Domains
Moving Domain Controllers Between Sites
Practice Moving Objects Within a Domain

32
Moving Objects

In the logical environment, objects can be moved
within and between domains in Active Directory.
In the physical environment, domain controllers
can be moved between sites.

33
Moving Objects Within a Domain

Objects with identical security requirements
should be moved into an OU or container within a
domain.
Access permissions should be assigned to the OU
or container and all objects in it.

34
Move Dialog Box
35
Moving Objects Between OUs or Containers

Permissions assigned directly to objects remain
the same.
Objects inherit permissions from the new OU or
container.
Previously inherited permissions from the old OU
or container no longer affect the objects.
Multiple objects can be moved at the same time.

36
Moving Objects Between Domains

Supports domain consolidation or organizational
restructuring operations.
Moving an object involves taking an existing
object and moving it below an existing parent.
The distinguished name of the moved object
reflects its new position in the hierarchy.
An objects GUID is unchanged by a move or
rename.
As users and groups are migrated from one domain
to another, they are given a new SID.
Windows 2000 supports SIDHistory, a security
attribute.
MOVETREE command-line utility.

37
Supported MOVETREE Operations

Move an object or a nonempty container to a
different domain valid only within the same
forest
Move Domain Local and Global groups between
domains without members and within domains with
members valid only within the same forest
Move Universal groups with members within and
between domains valid only within the same forest

38
Unsupported MOVETREE Operations

Some objects and information are not moved.
Objects that are not moved are classified as
orphaned objects and are placed in an orphan
container in the LostAndFound container in the
source domain.
The LostAndFound container is visible in the
Active Directory Users and Computers console in
Advanced View.
The orphan container is named using the GUID of
the parent container being moved and contains the
objects that were selected for the MOVETREE
operation.

39
Unsupported MOVETREE Operations

Local and Domain Global groups that contain
members
The Domain join information for computer objects
Associated object data
Including group policies
User profiles
Logon scripts
Users personal data
Encrypted files
Smart cards
Public key certificates

40
Error Conditions That May Cause MOVETREE Failures

The source domain controller cannot transfer the
relative identifier master role owner.
The source object is locked due to another
operation in progress.
Either the source or destination domain has
invalid credentials.
The destination knows the source object is
deleted, but the source does not know.
A failure at the destination domain controller.
The source and destination have a schema mismatch.

41
Restrictions That Cause Moving Users Between
Domains to Fail

The user object contains one or more objects the
user object must be a leaf object.
A SAM constraint is met constraints include when
the users samAccountName already exists in the
destination domain, or when the users password
length does not meet the password restrictions in
the target domain.
The user object belongs to a Global group from
the source domain the user objects membership
is voided because a Global group can only have a
member in the same domain.
Exception If the user object belongs to the
Domain Users group, and that group is the user
objects Primary group, then the move operation
succeeds.

42
Restrictions That Cause Moving Groups Between
Domains to Fail

The group object contains one or more objects.
The group objects membership and reverse
memberships do not fulfill the requirements of
its type.
The groups samAccountName exists on the
destination domain.

43
Moving Objects Between Domains Using MOVETREE

The necessary privileges must exist to perform
this operation.
MOVETREE can be used from the command line and
can be called from a batch file to script user
and group creation.

44
MOVETREE Syntax

movetree /start /startnocheck /continue
/check /s SrcDSA /d DstDSA /sdn SrcDN /ddn DstDN
/u Domain\Username /p Password verbose /?
/help

45
MOVETREE Log Files Overview

Created after the MOVETREE operation
Located in the directory where the MOVETREE
operation was performed

46
MOVETREE Log Files

MOVETREE.ERR Lists any errors encountered during
the MOVETREE operation
MOVETREE.LOG Lists statistical results of the
MOVETREE operation
MOVETREE.CHK Lists any potential errors or
conflicts detected during the move operations
precheck phase

47
Moving Workstations or Member Servers Between
Domains

Moving a workstation or member server from one
domain to another can be performed with NETDOM,
the Windows 2000 Domain Manager support tool.
NETDOM is available in the Windows 2000 Support
Tools included on the Windows 2000 CD-ROM in the
\SUPPORT\TOOLS folder.

48
NETDOM Syntax

netdom move /Ddomain /OUou_path /UdUser
/PdPassword /UoUser /PoPassword
/Reboottime_in_seconds

49
Moving Domain Controllers Between Sites

A domain controller can be installed into a site
that has existing domain controllers, except the
first domain controller installed, which
automatically creates the Default-First-Site-Name
site.
A first domain controller cant be created in any
site but Default-First-Site-Name, but a domain
controller can be created in a site that has a
previously existing domain controller and then
moved to another site.
After the first domain controller has been
installed, creating Default-First-Site-Name,
other domain controllers can be created in this
site and then moved to alternative sites.
The preceding procedure may also be used to move
member servers between sites.

50
Move Server Dialog Box
51
Delegating Administrative Control of AD Objects

Guidelines for Delegating Control
Delegation Of Control Wizard
Guidelines for Administering Active Directory
Practice Delegating Administrative Control in
Active Directory

52
Guidelines for Delegating Control

Administrative control of objects is delegated by
assigning permissions to the object, allowing
users or groups of users to administer the
objects.
Tracing permissions at the OU or container level
is easier than tracking permissions on objects or
object attributes.
The most common method of delegating
administrative control is to assign permission at
the OU or container level.
Assigning permissions at the OU or container
level allows delegation of administrative control
for the objects contained in the OU or container.
The Delegation Of Control Wizard is used to
assign permissions at the OU or container level.

53
Types of Control to Delegate

Permissions to change properties on a particular
container
Permissions to create, modify, or delete objects
of a specific type in a specific OU or container
Permissions to modify specific properties on
objects of a specific type in a specific OU or
container

54
Ways to Delegate Administrative Control

Assign control at the OU or container level
whenever possible.
Use the Delegation Of Control Wizard.
Track the delegation of permission assignments.
Follow business requirements.

55
Delegation of Control Wizard

Steps through the process of assigning
permissions at the OU or container level.
Specialized permissions must be manually
assigned.
Started by clicking the OU or container for which
to delegate control and then clicking Delegate
Control on the Action menu.

56
Delegation Of Control Wizard Options

Users Or Groups Select the user accounts or
groups to which to delegate control
Tasks To Delegate Select common tasks from a
list or create custom tasks to delegate
Active Directory Object Type Select the scope of
the tasks to delegate
Permissions Select one of the following
permissions to delegate
General The most commonly assigned permissions
available for the object
Property-Specific Permissions that can be
assigned to the attributes of the object
Creation/Deletion Of Specific Child Objects
Permissions to create and delete child objects

57
Guidelines for Administering Active Directory

Coordinate Active Directory structure with other
administrators.
Complete all attributes that are important to the
organization.
Use deny permissions sparingly.
Ensure that at least one user has Full Control
for each Active Directory object.
Ensure delegated users take responsibility and
can be held accountable.
Train users who have control of objects.

58
Backing Up Active Directory

Performing Preliminary Tasks
The Backup Wizard
What to Back Up
Where to Store the Backup
Specifying Advanced Backup Settings
Scheduling Active Directory Backup Jobs

59
Performing Preliminary Tasks

An important part of backing up Active Directory
is performing the preliminary tasks.
The files to be backed up must be closed.
Users must be instructed to close files before
the backup begins.
Applications using the system or users who cannot
be notified will have their sessions terminated
when backup begins.
Windows Backup does not back up files that are
locked by applications.
E-mail or the Send Console Message dialog box can
be used to send administrative messages to users.

60
Preliminary Tasks Removable Media Device

The backup device must be attached to a computer
on the network and turned on the tape device
must be attached to the computer on which Windows
Backup is to run.
The media device must be listed on the Windows
2000 HCL.
The media must be loaded in the media device.

61
Backup Wizard What To Back Up Page
62
Backing Up System State Data

System State data comprises the registry, the
COM Class Registration database, system boot
files, and the Certificate Services database.
If the server is a domain controller, Active
Directory and the SYSVOL directory are also
contained in the System State data.
All System State data relevant to the computer is
backed up individual components of the System
State data cannot be chosen for backup.
System State data can be backed up on a local
computer only it cannot be backed up on a remote
computer.

63
Backup WizardWhere To Store The Backup Page
64
Backup Media Options

Backup Media Type
Tape or file.
File can be located on any disk-based medium,
including a hard disk, shared folder, or
removable disk.
Backup Media Or File Name
Location where Windows Backup will store the
data.
For a tape, enter the tape name.
For a file, enter the path for the backup file.

65
Backup Wizard Options

Start the backup If Finish is clicked, the
Backup Wizard displays status information about
the backup job in the Backup Progress dialog box.
Specify advanced backup options If Advanced is
clicked, the Backup Wizard offers advanced backup
settings.

66
Advanced Backup Settings Pages

Type Of Backup
How To Backup
Media Options
Backup Label
When To Back Up

67
Backup Wizard Provides the Opportunity to do
Either of the Following

Finish the backup process
The Backup Wizard displays the Completing The
Backup Wizard settings and then presents the
option to finish and immediately start the
backup.
During backup, the wizard displays status
information about the backup job.
Back up later
Additional dialog boxes are shown to schedule the
backup process to occur later.

68
Scheduling Active Directory Backup Jobs

An unattended backup job can occur later when
users are not at work and files are closed.
Active Directory backup jobs should be scheduled
to occur at regular intervals.
Windows 2000 integrates Windows Backup with the
Task Scheduler service.

69
Restoring Active Directory

Preparing to Restore Active Directory
Nonauthoritative Restore
Authoritative Restore
Performing a Nonauthoritative Restore
Specifying Advanced Restore Settings
Performing an Authoritative Restore

70
Preparing to Restore Active Directory

As with the backup process, only the System State
data that was backed up can be restored,
including the registry, the COM Class
Registration database, system boot files, the
SYSVOL directory, the Active Directory, and the
Certificate Services database.
Individual components of the System State data
cannot be restored.
If the System State data is being restored to a
domain controller, the choice of whether to
perform a nonauthoritative restore or an
authoritative restore must be specified.
Default method of restoring the System State data
to a domain controller is nonauthoritative.

71
Nonauthoritative Restore

Any component of the System State replicated with
another domain controller is brought up-to-date
by replication after the data is restored.
The Active Directory replication system updates
the restored data with newer data from other
servers.

72
Authoritative Restore

If the changes made subsequent to the last backup
operation shouldnt be replicated, an
authoritative restore must be performed.
An authoritative restore must be performed if
users, groups, or OUs are inadvertently deleted
from Active Directory and the system needs to
restore so that the deleted objects are recovered
and replicated.
NTDSUTIL must be run after performing a
nonauthoritative restore of the System State data
but before the server is restarted.
NTDSUTIL allows the objects to be marked as
authoritative.

73
Authoritative Restore (cont)

Marking an object as authoritative changes its
update sequence number so that it is higher than
any other update sequence number in the Active
Directory replication system.
Using NTDSUTIL ensures replicated or distributed
data that has been restored is properly
replicated or distributed throughout the
organization.
NTDSUTIL can be found in the systemroot\system32
directory accompanying documentation is located
within the Windows 2000 Help files.

74
Performing a Nonauthoritative Restore

To restore the System State data on a domain
controller, the computer first must be started in
Directory Services Restore Mode.
Directory Services Restore Mode allows the SYSVOL
directory and Active Directory directory services
database to be restored.
System State data can be restored only on a local
computer, not a remote computer.

75
Restore WizardWhat To Restore Page
76
Restore WizardAdvanced Restore Options

Where To Restore page Restore Files To option
How To Restore page When Restoring Files That
Already Exist option
Advanced Restore Options page Select The Special
Restore Options You Want To Use option

77
Windows Backup FunctionsAfter the Restore Wizard

Prompts for verification of the selection of the
source media to use to restore data after
verification, Windows Backup starts the restore
process.
Displays status information about the restore
process.

78
Performing an Authoritative Restore
Authoritative Restore Operation

An authoritative restore occurs after a
nonauthoritative restore and designates the
entire directory, a subtree, or individual
objects to be recognized as authoritative with
respect to replica domain controllers in the
forest.
The NTDSUTIL utility allows objects to be marked
as authoritative so that they are propagated
through replication, thereby updating existing
copies of those objects throughout the forest.

79
Performing an Authoritative Restore After the
Authoritative Restore Operation

Normal replication brings the restored domain
controller up-to-date with any changes from the
additional domain controllers that were not
overridden by the authoritative restore.
Replication also propagates the authoritatively
restored object(s) to other domain controllers in
the forest.
The deleted objects that were marked as
authoritative are replicated from the restored
domain controller to the additional domain
controllers.
Because the restored objects have the same object
GUID and object SID, security remains intact, and
object dependencies are maintained.

80
Additional Tasks for Authoritatively Restoring
the Entire Active Directory Database

An additional procedure involving the SYSVOL
directory must be performed to ensure the
integrity of the computers group policy.
Which additional procedure should be performed
depends on whether the entire Active Directory
database or only a portion is being
authoritatively restored.

81
Troubleshooting Active Directory