0
Hands-On Microsoft
Windows Server 2003

Chapter 4
Introduction to Active
Directory and Account
Management
Objectives
• Explain the purpose of Active Directory
and its key features
• Describe containers in Active Directory
• Unde...
Introduction to Active Directory
• Directory service that houses information about
all network resources
• Centralized man...
4
Active Directory Terminology
• Object
– Network resource defined in a domain
– Has distinct attributes and properties

• C...
6
Replication in Active Directory
• Multimaster replication
– Any change on one DC is replicated to all other DCs
– If one D...
Installing Active Directory
•
•

Make a Windows 2003 server a DC by installing Active Directory
A DNS server must be avail...
Schema
• Defines the object classes and their attributes that can
be contained in Active Directory
• Each object class con...
10
Global Catalog
• Stores information about every object within a
forest
– Full replicas of objects in its own domain and pa...
Namespace
• A logical area on a network that contains directory
services and named objects
• Performs name resolution thro...
Containers in Active Directory
• Hierarchical elements arranged in a
treelike structure
• Containers in Active Directory i...
14
Forests
• Highest level container that consists of one or
more trees in a common relationship
• The trees can use a disjoi...
16
Trust relationships
• Two-way trust
– Members of each domain can have access to the resources of
the other

• Transitive t...
Trees
• Contain one or more domains that are in a
common relationship
• Domains are in a contiguous namespace and
can be i...
19
Domain
• Primary container of a group of objects
• Provides a partition in which to house
objects that have a common relat...
21
Organizational Unit
• Grouping of objects within a domain
• Enables the delegation of server
administration roles
– Groups...
23
Site
• Groups objects by physical location to identify the fastest
route between clients and servers and between DCs
• Ref...
25
Container Guidelines
• Keep Active Directory as simple as possible and
plan its structure before you implement it
• Implem...
Container Guidelines (cont.)
• Do not build an Active Directory with more than
10 levels of OUs (one or two levels is pref...
User Account Management
• Environments to set up and manage accounts
– Through a standalone server without Active Director...
29
It is easier to disable an old account, rename it, and enable
the account with a new name than to delete the account
and c...
31
32
Deleting an Account
• Delete accounts that are no longer in use
– Provides for easier account management
– Reduces the exp...
Security Group Management
• Group management eliminates repetitive steps in
managing user and resource access
• The scope ...
Implementing Local Groups
• Used on standalone servers that are not
part of a domain
• Also used on member servers in a do...
Implementing Domain Local
Groups
• Used on a single domain or to manage resources in a
particular domain
• Gives global an...
37
Domain Functional Levels
• Determined by the type of servers in a domain
• Three functional-level modes:
– Windows 2000 mi...
Implementing Global Groups
• Intended to contain user accounts from a single domain
• Used to manage group accounts in a d...
40
41
Implementing Universal Groups
• Used to provide easy access to resources in any domain
within a forest
• Membership can in...
43
Guidelines for Security Groups
• Use global groups to hold accounts as members
• Keep nesting of global groups to a minimu...
Properties of Groups
• General
– Modify description, scope and type of group, and email addresses for a distribution group...
Implementing User Profiles
• Local user profile
– Stored on the local computer
– Multiple users can use the same computer ...
47
Summary
• Active Directory
– Directory service that provides ways to manage resources in a
network

• Object
– Most basic ...
Summary
• Active Directory hierarchy
– Forest, trees, domains, organization units, and sites

• Active Directory design
– ...
Upcoming SlideShare
Loading in...5
×

Introduction to Windows Server 2003 Chapter 4

184

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
184
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
26
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Introduction to Windows Server 2003 Chapter 4"

  1. 1. Hands-On Microsoft Windows Server 2003 Chapter 4 Introduction to Active Directory and Account Management
  2. 2. Objectives • Explain the purpose of Active Directory and its key features • Describe containers in Active Directory • Understand user account management • Explain security group management and implement security groups • Implement user profiles 2
  3. 3. Introduction to Active Directory • Directory service that houses information about all network resources • Centralized management allows for quick searches and access to resources • Hierarchical organization of elements provides the ability to control user access • Used in Windows 2000 Server and Server 2003 – Windows NT Servers use the SAM database – Active Directory improves on SAM by: • Providing complete management of all resources • Allowing writeable copies on all domain controllers 3
  4. 4. 4
  5. 5. Active Directory Terminology • Object – Network resource defined in a domain – Has distinct attributes and properties • Container – An object that holds other objects • Domain – A fundamental container that holds a group of resource objects • Domain controller (DC) – A Windows 2003 server that contains a full copy of the Active Directory information 5
  6. 6. 6
  7. 7. Replication in Active Directory • Multimaster replication – Any change on one DC is replicated to all other DCs – If one DC fails, there is no visible network interruption • Replication can be set to occur at preset intervals instead of as soon as update occurs • Network traffic due to replications is reduced by: – Replicating individual properties instead of entire accounts – Replicating based on the speed of the network link • Replicate more frequently over a LAN than a WAN 7
  8. 8. Installing Active Directory • • Make a Windows 2003 server a DC by installing Active Directory A DNS server must be available to complete installation 8
  9. 9. Schema • Defines the object classes and their attributes that can be contained in Active Directory • Each object class contains a globally unique identifier (GUID) – Unique number associated with an object name • An object class may have required and optional attributes • Each attribute is given a version number and date when created or modified – Allows updates on only that value in all DCs • Windows Server 2003 has several default object classes 9
  10. 10. 10
  11. 11. Global Catalog • Stores information about every object within a forest – Full replicas of objects in its own domain and partial replicas of objects in other domains • Authenticates users when they log on • Provides lookup and access to all resources in all domains • Provides replication of key Active Directory elements • Keeps a copy of the most used object attributes for quick access 11
  12. 12. Namespace • A logical area on a network that contains directory services and named objects • Performs name resolution through a DNS server in its designated DNS namespace • Active Directory must be able to access a DNS server on the network • DNS and Active Directory namespaces can be on a single computer or be distributed across several servers • Two types of namespaces: – In contiguous namespace, the child object contains the name of the parent object – In a disjointed namespace, the child name does not resemble the parent name 12
  13. 13. Containers in Active Directory • Hierarchical elements arranged in a treelike structure • Containers in Active Directory include: – Forests – Trees – Domains – Organizational units – Sites 13
  14. 14. 14
  15. 15. Forests • Highest level container that consists of one or more trees in a common relationship • The trees can use a disjointed namespace • All trees use the same schema • All trees use the same global catalog • Domains enable administration of commonly associated objects • Two-way transitive trusts between domains 15
  16. 16. 16
  17. 17. Trust relationships • Two-way trust – Members of each domain can have access to the resources of the other • Transitive trust – If A and B have a trust and B and C have a trust, A and C automatically have a trust • Kerberos transitive trust relationship – A two-way transitive trust using Kerberos security techniques • Forest trust – A Kerberos transitive trust between root domains of forests in Windows Server 2003 forests 17
  18. 18. Trees • Contain one or more domains that are in a common relationship • Domains are in a contiguous namespace and can be in a hierarchy – All domains share a portion of their namespace • Parent and child domains are in a Kerberos transitive trust relationship • All domains use the same schema for all types of common objects • All domains use the same global catalog 18
  19. 19. 19
  20. 20. Domain • Primary container of a group of objects • Provides a partition in which to house objects that have a common relationship – Partitions reflect management and security relationships • Establishes a set of information to be replicated from one DC to another • Expedites management of a set of objects 20
  21. 21. 21
  22. 22. Organizational Unit • Grouping of objects within a domain • Enables the delegation of server administration roles – Groups objects according to management tasks • Provides the ability to administer objects with Group Policies – Groups objects with similar security access • Can be nested within other OUs 22
  23. 23. 23
  24. 24. Site • Groups objects by physical location to identify the fastest route between clients and servers and between DCs • Reflects one or more interconnected subnets • Is used for DC replication – Sets up redundant paths between DCs – Coordinates replication between sites with a bridgehead server • Enables a client to access the DC that is physically closest • Is composed of only two types of objects: – Servers – Configuration objects 24
  25. 25. 25
  26. 26. Container Guidelines • Keep Active Directory as simple as possible and plan its structure before you implement it • Implement the least number of domains possible • Implement only one domain on most small networks • When an organization is planning to reorganize, use OUs to reflect the organization’s structure • Create only the number of OUs that are absolutely necessary 26
  27. 27. Container Guidelines (cont.) • Do not build an Active Directory with more than 10 levels of OUs (one or two levels is preferable) • Use domains as partitions in forests to demarcate commonly associated accounts and resources governed by group and security policies • Implement multiple trees and forests only as necessary • Use sites where there are multiple IP subnets and geographic locations to improve logon and replication performance 27
  28. 28. User Account Management • Environments to set up and manage accounts – Through a standalone server without Active Directory: • Use the Local Users and Group tool – In a domain where Active Directory is installed: • Use the Active Directory Users and Computers tool • Management tasks: – – – – – Creating an account Disabling, enabling, and renaming accounts Moving an account Resetting a password Deleting an account 28
  29. 29. 29
  30. 30. It is easier to disable an old account, rename it, and enable the account with a new name than to delete the account and create a new one 30
  31. 31. 31
  32. 32. 32
  33. 33. Deleting an Account • Delete accounts that are no longer in use – Provides for easier account management – Reduces the exposure to security risks • When an account is deleted, the GUID is also deleted and is not reused 33
  34. 34. Security Group Management • Group management eliminates repetitive steps in managing user and resource access • The scope of a group determines its reach for gaining access to Active Directory objects • Group types according to scope: – – – – Local Domain local Global Universal • Group types according to use: – Security – Distribution 34
  35. 35. Implementing Local Groups • Used on standalone servers that are not part of a domain • Also used on member servers in a domain • Scope does not go beyond the local server • Divided on the basis of security access to the local server • Created using the Local Users and Groups tool 35
  36. 36. Implementing Domain Local Groups • Used on a single domain or to manage resources in a particular domain • Gives global and universal groups from the same or other domains access to resources • Usually placed in ACLs to give resource access to its members – Access control list (ACL) is a list of security privileges for a particular object • Scope is the domain in which the group exists • Can be converted to a universal group if: – Other domain local groups are not contained within it – Domain is in Windows Server 2003 mode 36
  37. 37. 37
  38. 38. Domain Functional Levels • Determined by the type of servers in a domain • Three functional-level modes: – Windows 2000 mixed mode • Combination of NT, 2000, and 2003 servers – Windows 2000 native mode • Only 2000 and 2003 servers – Windows 2003 mode • Only 2003 servers • The default mode is either mixed or native – Change the mode through the Raise Functional Level dialog box 38
  39. 39. Implementing Global Groups • Intended to contain user accounts from a single domain • Used to manage group accounts in a domain so that the accounts can access resources in the same domain and in other domains • Can access resources in other domains through membership in other global, domain local, or universal groups • Can contain user accounts and other global groups from the domain in which it was created • Can be converted to a universal group with the same restrictions as domain local groups 39
  40. 40. 40
  41. 41. 41
  42. 42. Implementing Universal Groups • Used to provide easy access to resources in any domain within a forest • Membership can include user accounts, global groups, and universal groups from any domain • Provides ability to manage security for single accounts with minimal effort • Simplifies access when there are multiple domains • To create a universal group, it may be necessary to convert the domain to Windows Server 2003 mode 42
  43. 43. 43
  44. 44. Guidelines for Security Groups • Use global groups to hold accounts as members • Keep nesting of global groups to a minimum • Give accounts access to resources by making their global group members of other groups • Use domain local groups to provide access to resources in a specific domain • Avoid placing accounts in domain local groups • Use universal groups to provide extensive access to resources by placing them in ACLs 44
  45. 45. Properties of Groups • General – Modify description, scope and type of group, and email addresses for a distribution group • Members – Add or remove members from a group • Member Of – Add or remove the group’s membership in another group • Managed by – Establish an account or group that manages the group 45
  46. 46. Implementing User Profiles • Local user profile – Stored on the local computer – Multiple users can use the same computer and maintain customized settings • Roaming profile – Downloaded to the client from the server – Same settings are available to users regardless of the computer they log on • Mandatory profile – Stored on the server – A user can modify, but not save settings 46
  47. 47. 47
  48. 48. Summary • Active Directory – Directory service that provides ways to manage resources in a network • Object – Most basic component in Active Directory – Defined through an information set called a schema • Global catalog – Stores information about every object – Replicates key elements – Authenticates user logons • Namespace – Uses the DNS namespace for name resolution – Active Directory requires a DNS server 48
  49. 49. Summary • Active Directory hierarchy – Forest, trees, domains, organization units, and sites • Active Directory design – Keep the structure as simple as possible • User accounts – Customize account properties – Management tasks include disabling, enabling, renaming, moving, and deleting accounts • Security group management – Local, domain local, global, and universal groups • User profiles – Used to customize accounts 49
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×