Administering Active Directory

1
Chapter 3

• Administering Active Directory

2
Objectives

• Create and modify Active Directory objects such
  as organizational units, users, computers, and
  groups
• Identify and troubleshoot Active Directory group
  types and scopes
• Administer Active Directory object permissions
• Manage and troubleshoot Active Directory
  replication

3
Administering Active Directory Objects

• Types of objects stored in the Active Directory
  database
• Container object
• Used to contain and organize related objects
  within the Active Directory hierarchy
• Can consist of other child containers or leaf
  objects
• Example organizational unit (OU)
• Leaf object
• Represents resources within a selected domain
• Stored within a container
• Cannot contain other objects
• Examples user object, computer object

4
Administering Active Directory Objects (Continued)

• Administrative Tools menu
• Contains a number of management tools, such as
• Active Directory Users and Computers
• Active Directory Sites and Services
• Active Directory Domains and Trusts

5
Exploring Active Directory Users and Computers

• Active Directory Users and Computers
• MMC application with the filename of Dsa.msc
• Primary administration tool used to manage the
  following within an Active Directory domain
• Users
• Groups
• OUs
• Published information
• One of the tools used to create and manage Group
  Policy objects

6
Viewing the Active Directory Users and Computers
console
7
Exploring Active Directory Users and Computers
(Continued)

• Default container objects
• Several container objects are automatically
  created when a Windows Server 2003 server is
  promoted to domain controller
• Active Directory Users and Computers can create a
  number of objects within a domain

8
Purpose of the default container objects in
Active Directory
9
Objects available in Active Directory Users and
Computers
10
Creating Organizational Units

• Organizational unit (OU)
• A logical container that contains other objects,
  such as
• Users
• Groups
• Computers
• Published resources
• Other OUs
• Can only consist of objects from its home domain
• Main reason to create an OU
• Organize and partition a single domain into
  logical administrative units

11
Creating Organizational Units (Continued)

• Things to keep in mind when designing an OU
  structure
• Administrative delegation
• Group Policy
• Goal in designing a domain
• The domain should be
• Logically organized
• Easy to administer
• Easy to control

12
Creating New User Accounts

• User account object
• Represents all the information that defines a
  physical user with access permissions to the
  network
• Can assist in the administration and security of
  the network by making it possible to
• Require authentication of anyone connecting to
  network
• Control access to network resources such as
  shared folders or printers
• Monitor access to resources by auditing actions
  performed by a user logged on with a specific
  account

13
Creating a new user object
14
Creating New User Accounts (Continued)

• Standards on the elements of a user object might
  include
• Establishing a naming convention
• Controlling password ownership
• Including additional required attributes
• A number of initial account settings can be
  configured when creating a user account, such as
• Whether a users password ever expires
• If the account should initially be disabled

15
Initial account policy options for a new user
account
16
Creating New User Accounts (Continued)

• Once a user account is created, a number of
  additional tasks and attributes can be applied,
  such as
• Copy
• Add to a Group
• Disable Account
• Reset Password
• Move
• Open Home Page
• Send Mail
• Properties

17
Creating New User Accounts (Continued)

• To view and modify user account attributes
• Right-click the user account, then
• Click Properties
• Properties dialog box of a user account
• Tabs allow you to
• Add specific information, or
• Enable specific functionality for the user account

18
Properties of a user account object
19
Creating Computer Accounts

• Computer account
• An Active Directory object
• Can be created in two primary ways
• During initial installation of client operating
  system
• Preconfigured in Active Directory before client
  installation

20
Creating a new computer object
21
Moving Active Directory Objects

• Objects created within the Active Directory Users
  and Computers console can be moved between
  containers within the same domain
• Containers that cannot be moved
• Builtin
• Computers
• Domain Controllers
• ForeignSecurityPrincipals
• Users
• The default local groups found in the Builtin
  container cannot be moved

22
Creating Group Objects

• Windows Server 2003 group
• Container object
• Used to organize collection of users, computers,
  contacts, or other groups into a single security
  principal
• Simplifies administration
• Rights and resource permissions can be assigned
  to a group rather than to individual users

23
Creating Group Objects (Continued)

• Groups and OUs
• Similarity
• Both are used to organize other objects into
  logical containers
• Differences
• Permissions and rights
• OUs are not security principals and as such
  cannot be used to define permissions on resources
  or be assigned rights
• Active Directory security groups are security
  principals that can be assigned both permissions
  and rights

24
Creating Group Objects (Continued)

• Objects that they can contain
• OUs can only contain objects from their parent
  domain
• Some groups can contain objects from any domain
  within the forest

25
Group Types

• Windows Server 2003 allows two group types
• Security group
• Defined by Security Identifier (SID)
• Can be listed in discretionary access control
  lists (DACLs) used to define permissions on
  resources and objects
• Distribution group
• Used solely for e-mail distribution
• Does not have associated SID
• Cannot be listed in DACLs used to define
  permissions on resources and objects

26
Group Scopes

• Group scope
• The logical boundary within which a group can be
  assigned permissions to a specific resource
  within the domain or forest
• Security and distribution groups in Active
  Directory can be assigned one of three possible
  scopes
• Global
• Domain local
• Universal

27
Global

• A global group
• Can be assigned permissions to any resource in
  any domain within the forest
• Can only contain members of the same domain in
  which it is created
• Mainly used to organize user objects into logical
  groupings according to function

28
Domain Local

• A domain local group
• Can only be assigned permissions to a resource
  available in the local domain in which it is
  created
• Group membership can come from any domain within
  the forest
• Mainly used to assign access permissions to a
  resource

29
Universal

• A universal group
• Can be assigned permissions to any resource in
  any domain within the forest
• Differences between universal and global groups
• A universal group can consist of user objects
  from any domain in the forest global groups can
  only consist of user objects from the same domain
• Universal groups are only available when a domain
  is configured in Windows 2000 native mode or the
  Windows Server 2003 functional level

30
Windows Server 2003 group summary
31
Creating Group Objects

• Steps to create group objects in Active Directory
• Decide in which container object the group should
  be created
• Choose an appropriate group name, scope, and type
• To create universal groups
• A domain must be switched to native mode

32
Modifying Group Memberships

• Membership can be added once a group object is
  created
• Depending upon which type of group is created,
  Windows Server 2003 groups can possibly contain
• Users
• Contacts
• Other groups
• Computers

33
Adding or modifying memberships
34
Changing a Group Scope

• A group can change its scope as long as groups
  membership rules are not violated
• Rules for changing group scopes
• You can only change a global group to a universal
  group as long as it is not a member of another
  global group
• You can only change a domain local group to a
  universal group as long as it does not contain
  any other domain local groups as a member

35
Understanding the Built-in Local Groups

• Built-in local security groups
• Have various preassigned rights
• Can be used to allow users to perform certain
  network tasks
• Ease the implementation of delegation and
  security rights throughout the network
• Found in Builtin container
• Built-in global groups
• Found in Users container

36
Local groups and their rights
37
Viewing built-in global groups
38
Managing Security Groups

• Acronym A G U DL P can be used to implement the
  use of security groups
• Create user Accounts, and organize them within
  Global groups
• Often users are grouped in global groups based on
  departments in the organization
• Optional Create Universal groups and place
  global groups from any domain within the
  universal groups

39
Managing Security Groups (Continued)

• 3. Create Domain Local groups that represent the
  resources in which you want to control access and
  add the global or universal groups to the domain
  local groups
• 4. Assign Permissions to the domain local groups

40
Administering Permissions in Active Directory

• Active Directory uses permissions to protect the
  creation, deletion, or viewing of objects within
  the database
• By default, administrators have full access to
  all objects within the domain
• Users are given the initial permission to read
  most attributes of the objects stored in the
  database

41
Active Directory Object Permissions

• Active Directory objects can be assigned
  permissions at two levels
• Object-level permissions
• Define which types of objects a user or group can
  view, create, delete, or modify within Active
  Directory
• Can be applied according to a preconfigured set
  of standard permissions
• Attribute-level permissions
• Define which attributes of a certain object a
  user or group can view or modify within Active
  Directory

42
Common standard permissions available in Windows
Server 2003 Active Directory
43
Permission Inheritance

• By default, all child objects inside a container
  object inherit permissions from parent objects
• Permission inheritance and careful planning can
  eliminate the need to assign permissions to
• Every container object, or
• Every object inside a container
• The default inheritance of permissions can be
  modified by blocking the inheritance at a
  container or object level

44
Delegating Authority Over Active Directory Objects

• Steps to delegate the administration of Active
  Directory
• Design OU structure so that the administration
  work can be distributed
• Configure the appropriate level of administrative
  permissions for each administrator
• Delegation of Control Wizard
• Guides you through the process of determining the
  permissions that you want to delegate
• Configures permissions for the object and child
  objects

45
Delegating an administrative task in Active
Directory
46
Managing Active Directory Replication

• Active Directory replication
• The process of directory data being synchronized
  and maintained between domain controllers
  throughout the domain
• Multi-master replication model
• Used by Windows Server 2003
• Multiple domain controllers have the authority to
  update and replicate database changes to each
  domain controller
• Provides a level of fault tolerance

47
Replication Components and Processes

• When an object is created, deleted, or modified,
  replication has to take place among all domain
  controllers within the domain
• Originating update
• Initial modification to the database on a
  specific domain controller
• Replicated updates
• All synchronized copies sent to other domain
  controllers
• Replication latency
• Time that it takes to replicate an update to
  another domain controller

48
Identifying Replication Problems

• Three main areas that can cause potential
  conflict within the database
• Attribute value errors
• Occur when the same attribute of an object is
  edited at the same time on two different domain
  controllers
• Placing objects within containers marked for
  deletion
• Occurs when one administrator deletes a
  container, while another administrator creates an
  object or moves an object into the deleted
  container before replication takes place

49
Identifying Replication Problems (Continued)

• Sibling name errors
• Occur if two administrators concurrently create
  an object with the same relative distinguished
  name on two different domain controllers
• To help resolve possible conflicts
• Active Directory applies unique stamps to every
  attribute that is replicated
• Tools that can assist in viewing replication
  information or diagnosing replication problems
• Event Viewer
• DCDIAG
• Replication Monitor

50
Summary

• Active Directory Users and Computers
• Primary tool used to manage users, groups, OUs,
  and published information within a domain
• Main goal when designing an OU structure
• A granular structure that meets the group policy
  and delegation needs of the organization
• Possible standards regarding user accounts
• Establishing a naming convention
• Determining password ownership
• Determining which attributes are required

51
Summary (Continued)

• A computer account
• Can be created automatically during the initial
  client installation of the operating system
• Can be preconfigured in Active Directory before
  the initial installation
• Types of groups in Windows Server 2003
• Security groups
• Distribution groups
• Possible group scopes
• Domain local
• Global
• Universal

52
Summary (Continued)

• Acronym A G U DL P
• Can be used when implementing the use of security
  groups
• Active Directory permissions can be assigned at
• Object level
• Attribute level
• Delegation of Control Wizard
• Simplifies the process of applying and delegating
  Active Directory object permissions

53
Summary (Continued)

• Main replication problems
• Attribute-level conflicts
• Sibling name conflicts
• Creating or moving objects to deleted containers