Module 7
Active Directory and Account
Management
Objectives
• Explain the purpose of Active Directory
and its key features
• Describe containers in Active Directory
• Understand user account management
• Explain security group management
and implement security groups
• Implement user profiles
Introduction to Active Directory
• Directory service that houses information
about all network resources
• Centralized management allows for quick
searches and access to resources
• Hierarchical organization of elements
provides the ability to control user access
• Used in Windows 2000 Server and Server
2003
– Windows NT Servers use the SAM database
– Active Directory improves on SAM by:
• Providing complete management of all resources
• Allowing writeable copies on all domain controllers
Active Directory Terminology
• Object
– Network resource defined in a domain
– Has distinct attributes and properties
• Container
– An object that holds other objects
• Domain
– A fundamental container that holds a group of
resource objects
• Domain controller (DC)
– A Windows 2003 server that contains a full copy of
the Active Directory information
Replication in Active Directory
• Multimaster replication
– Any change on one DC is replicated to all other DCs
– If one DC fails, there is no visible network interruption
• Replication can be set to occur at preset intervals
instead of as soon as update occurs
• Network traffic due to replications is reduced by:
– Replicating individual properties instead of entire accounts
– Replicating based on the speed of the network link
• Replicate more frequently over a LAN than a WAN
Installing Active Directory
• Make a Windows 2003 server a DC by installing Active Directory
• A DNS server must be available to complete installation
Schema
• Defines the object classes and their attributes that
can be contained in Active Directory
• Each object class contains a globally unique identifier
(GUID)
– Unique number associated with an object name
• An object class may have required and optional
attributes
• Each attribute is given a version number and date
when created or modified
– Allows updates on only that value in all DCs
• Windows Server 2003 has several default object
classes
Global Catalog
• Stores information about every object within a
forest
– Full replicas of objects in its own domain and
partial replicas of objects in other domains
• Authenticates users when they log on
• Provides lookup and access to all resources
in all domains
• Provides replication of key Active Directory
elements
• Keeps a copy of the most used object
attributes for quick access
Namespace
• A logical area on a network that contains directory
services and named objects
• Performs name resolution through a DNS server in its
designated DNS namespace
• Active Directory must be able to access a DNS
server on the network
• DNS and Active Directory namespaces can be on a
single computer or be distributed across several
servers
• Two types of namespaces:
– In contiguous namespace, the child object contains the
name of the parent object
– In a disjointed namespace, the child name does not
resemble the parent name
Containers in Active Directory
• Hierarchical elements arranged in a
treelike structure
• Containers in Active Directory include:
– Forests
– Trees
– Domains
– Organizational units
– Sites
Forests
• Highest level container that consists of one or
more trees in a common relationship
• The trees can use a disjointed namespace
• All trees use the same schema
• All trees use the same global catalog
• Domains enable administration of commonly
associated objects
• Two-way transitive trusts between domains
Trust relationships
• Two-way trust
– Members of each domain can have access to the resources
of the other
• Transitive trust
– If A and B have a trust and B and C have a trust, A and C
automatically have a trust
• Kerberos transitive trust relationship
– A two-way transitive trust using Kerberos security techniques
• Forest trust
– A Kerberos transitive trust between root domains of forests
in Windows Server 2003 forests
Trees
• Contain one or more domains that are in a
common relationship
• Domains are in a contiguous namespace and
can be in a hierarchy
– All domains share a portion of their namespace
• Parent and child domains are in a Kerberos
transitive trust relationship
• All domains use the same schema for all
types of common objects
• All domains use the same global catalog
Domain
• Primary container of a group of objects
• Provides a partition in which to house
objects that have a common
relationship
– Partitions reflect management and security
relationships
• Establishes a set of information to be
replicated from one DC to another
• Expedites management of a set of
objects
Organizational Unit
• Grouping of objects within a domain
• Enables the delegation of server
administration roles
– Groups objects according to management
tasks
• Provides the ability to administer objects
with Group Policies
– Groups objects with similar security access
• Can be nested within other OUs
Site
• Groups objects by physical location to identify the
fastest route between clients and servers and
between DCs
• Reflects one or more interconnected subnets
• Is used for DC replication
– Sets up redundant paths between DCs
– Coordinates replication between sites with a bridgehead
server
• Enables a client to access the DC that is physically
closest
• Is composed of only two types of objects:
– Servers
– Configuration objects
Container Guidelines
• Keep Active Directory as simple as possible
and plan its structure before you implement it
• Implement the least number of domains
possible
• Implement only one domain on most small
networks
• When an organization is planning to
reorganize, use OUs to reflect the
organization’s structure
• Create only the number of OUs that are
absolutely necessary
Container Guidelines (cont.)
• Do not build an Active Directory with more
than 10 levels of OUs (one or two levels is
preferable)
• Use domains as partitions in forests to
demarcate commonly associated accounts
and resources governed by group and
security policies
• Implement multiple trees and forests only as
necessary
• Use sites where there are multiple IP subnets
and geographic locations to improve logon
and replication performance
User Account Management
• Environments to set up and manage
accounts
– Through a standalone server without Active
Directory:
• Use the Local Users and Group tool
– In a domain where Active Directory is installed:
• Use the Active Directory Users and Computers tool
• Management tasks:
–
–
–
–
–
Creating an account
Disabling, enabling, and renaming accounts
Moving an account
Resetting a password
Deleting an account
It is easier to disable an old account, rename it, and enable the account with a new
name than to delete the account and create a new one
Deleting an Account
• Delete accounts that are no longer in
use
– Provides for easier account management
– Reduces the exposure to security risks
• When an account is deleted, the GUID
is also deleted and is not reused
Security Group Management
• Group management eliminates repetitive steps in
managing user and resource access
• The scope of a group determines its reach for gaining
access to Active Directory objects
• Group types according to scope:
–
–
–
–
Local
Domain local
Global
Universal
• Group types according to use:
– Security
– Distribution
Implementing Local Groups
• Used on standalone servers that are not
part of a domain
• Also used on member servers in a
domain
• Scope does not go beyond the local
server
• Divided on the basis of security access
to the local server
• Created using the Local Users and
Groups tool
Implementing Domain Local Groups
• Used on a single domain or to manage resources in a
particular domain
• Gives global and universal groups from the same or
other domains access to resources
• Usually placed in ACLs to give resource access to its
members
– Access control list (ACL) is a list of security privileges for a
particular object
• Scope is the domain in which the group exists
• Can be converted to a universal group if:
– Other domain local groups are not contained within it
– Domain is in Windows Server 2003 mode
Domain Functional Levels
• Determined by the type of servers in a
domain
• Three functional-level modes:
– Windows 2000 mixed mode
• Combination of NT, 2000, and 2003 servers
– Windows 2000 native mode
• Only 2000 and 2003 servers
– Windows 2003 mode
• Only 2003 servers
• The default mode is either mixed or native
– Change the mode through the Raise Functional
Level dialog box
Implementing Global Groups
• Intended to contain user accounts from a single
domain
• Used to manage group accounts in a domain so that
the accounts can access resources in the same
domain and in other domains
• Can access resources in other domains through
membership in other global, domain local, or
universal groups
• Can contain user accounts and other global groups
from the domain in which it was created
• Can be converted to a universal group with the same
restrictions as domain local groups
Implementing Universal Groups
• Used to provide easy access to resources in any
domain within a forest
• Membership can include user accounts, global
groups, and universal groups from any domain
• Provides ability to manage security for single
accounts with minimal effort
• Simplifies access when there are multiple domains
• To create a universal group, it may be necessary to
convert the domain to Windows Server 2003 mode
Guidelines for Security Groups
• Use global groups to hold accounts as
members
• Keep nesting of global groups to a minimum
• Give accounts access to resources by making
their global group members of other groups
• Use domain local groups to provide access to
resources in a specific domain
• Avoid placing accounts in domain local
groups
• Use universal groups to provide extensive
access to resources by placing them in ACLs
Properties of Groups
• General
– Modify description, scope and type of group, and
e-mail addresses for a distribution group
• Members
– Add or remove members from a group
• Member Of
– Add or remove the group’s membership in another
group
• Managed by
– Establish an account or group that manages the
group
Implementing User Profiles
• Local user profile
– Stored on the local computer
– Multiple users can use the same computer and
maintain customized settings
• Roaming profile
– Downloaded to the client from the server
– Same settings are available to users regardless of
the computer they log on
• Mandatory profile
– Stored on the server
– A user can modify, but not save settings
Summary
• Active Directory
– Directory service that provides ways to manage resources in
a network
• Object
– Most basic component in Active Directory
– Defined through an information set called a schema
• Global catalog
– Stores information about every object
– Replicates key elements
– Authenticates user logons
• Namespace
– Uses the DNS namespace for name resolution
– Active Directory requires a DNS server
Summary
• Active Directory hierarchy
– Forest, trees, domains, organization units, and sites
• Active Directory design
– Keep the structure as simple as possible
• User accounts
– Customize account properties
– Management tasks include disabling, enabling, renaming,
moving, and deleting accounts
• Security group management
– Local, domain local, global, and universal groups
• User profiles
– Used to customize accounts