Hands-On Microsoft

Windows Server 2003

Chapter 4
Introduction to Active
Directory and Account
Management
Objectives
• Explain the purpose of Active Directory
and its key features
• Describe containers in Active Directory
• Understand user account management
• Explain security group management and
implement security groups
• Implement user profiles

2
Introduction to Active Directory
• Directory service that houses information about
all network resources
• Centralized management allows for quick
searches and access to resources
• Hierarchical organization of elements provides
the ability to control user access
• Used in Windows 2000 Server and Server 2003
– Windows NT Servers use the SAM database
– Active Directory improves on SAM by:
• Providing complete management of all resources
• Allowing writeable copies on all domain controllers
3
4
Active Directory Terminology
• Object
– Network resource defined in a domain
– Has distinct attributes and properties
• Container
– An object that holds other objects
• Domain
– A fundamental container that holds a group of
resource objects
• Domain controller (DC)
– A Windows 2003 server that contains a full copy of
the Active Directory information
5
6
Replication in Active Directory
• Multimaster replication
– Any change on one DC is replicated to all other DCs
– If one DC fails, there is no visible network interruption
• Replication can be set to occur at preset
intervals instead of as soon as update occurs
• Network traffic due to replications is reduced by:
– Replicating individual properties instead of entire
accounts
– Replicating based on the speed of the network link
• Replicate more frequently over a LAN than a WAN

7
Installing Active Directory
• Make a Windows 2003 server a DC by installing Active Directory
• A DNS server must be available to complete installation

8
Schema
• Defines the object classes and their attributes that can
be contained in Active Directory
• Each object class contains a globally unique identifier
(GUID)
– Unique number associated with an object name
• An object class may have required and optional
attributes
• Each attribute is given a version number and date when
created or modified
– Allows updates on only that value in all DCs
• Windows Server 2003 has several default object classes
9
10
Global Catalog
• Stores information about every object within a
forest
– Full replicas of objects in its own domain and partial
replicas of objects in other domains
• Authenticates users when they log on
• Provides lookup and access to all resources in
all domains
• Provides replication of key Active Directory
elements
• Keeps a copy of the most used object attributes
for quick access
11
Namespace
• A logical area on a network that contains directory
services and named objects
• Performs name resolution through a DNS server in its
designated DNS namespace
• Active Directory must be able to access a DNS server on
the network
• DNS and Active Directory namespaces can be on a
single computer or be distributed across several servers
• Two types of namespaces:
– In contiguous namespace, the child object contains the name of
the parent object
– In a disjointed namespace, the child name does not resemble
the parent name
12
Containers in Active Directory
• Hierarchical elements arranged in a
treelike structure
• Containers in Active Directory include:
– Forests
– Trees
– Domains
– Organizational units
– Sites

13
14
Forests
• Highest level container that consists of one or
more trees in a common relationship
• The trees can use a disjointed namespace
• All trees use the same schema
• All trees use the same global catalog
• Domains enable administration of commonly
associated objects
• Two-way transitive trusts between domains

15
16
Trust relationships
• Two-way trust
– Members of each domain can have access to the resources of
the other
• Transitive trust
– If A and B have a trust and B and C have a trust, A and C
automatically have a trust
• Kerberos transitive trust relationship
– A two-way transitive trust using Kerberos security techniques
• Forest trust
– A Kerberos transitive trust between root domains of forests in
Windows Server 2003 forests

17
Trees
• Contain one or more domains that are in a
common relationship
• Domains are in a contiguous namespace and
can be in a hierarchy
– All domains share a portion of their namespace
• Parent and child domains are in a Kerberos
transitive trust relationship
• All domains use the same schema for all types
of common objects
• All domains use the same global catalog

18
19
Domain
• Primary container of a group of objects
• Provides a partition in which to house
objects that have a common relationship
– Partitions reflect management and security
relationships
• Establishes a set of information to be
replicated from one DC to another
• Expedites management of a set of objects
20
21
Organizational Unit
• Grouping of objects within a domain
• Enables the delegation of server
administration roles
– Groups objects according to management
tasks
• Provides the ability to administer objects
with Group Policies
– Groups objects with similar security access
• Can be nested within other OUs
22
23
Site
• Groups objects by physical location to identify the fastest
route between clients and servers and between DCs
• Reflects one or more interconnected subnets
• Is used for DC replication
– Sets up redundant paths between DCs
– Coordinates replication between sites with a bridgehead server
• Enables a client to access the DC that is physically
closest
• Is composed of only two types of objects:
– Servers
– Configuration objects

24
25
Container Guidelines
• Keep Active Directory as simple as possible and
plan its structure before you implement it
• Implement the least number of domains possible
• Implement only one domain on most small
networks
• When an organization is planning to reorganize,
use OUs to reflect the organization’s structure
• Create only the number of OUs that are
absolutely necessary

26
Container Guidelines (cont.)
• Do not build an Active Directory with more than
10 levels of OUs (one or two levels is preferable)
• Use domains as partitions in forests to
demarcate commonly associated accounts and
resources governed by group and security
policies
• Implement multiple trees and forests only as
necessary
• Use sites where there are multiple IP subnets
and geographic locations to improve logon and
replication performance
27
User Account Management
• Environments to set up and manage accounts
– Through a standalone server without Active Directory:
• Use the Local Users and Group tool
– In a domain where Active Directory is installed:
• Use the Active Directory Users and Computers tool
• Management tasks:
– Creating an account
– Disabling, enabling, and renaming accounts
– Moving an account
– Resetting a password
– Deleting an account
28
29
It is easier to disable an old account, rename it, and enable
the account with a new name than to delete the account
and create a new one
30
31
32
Deleting an Account
• Delete accounts that are no longer in use
– Provides for easier account management
– Reduces the exposure to security risks
• When an account is deleted, the GUID is
also deleted and is not reused

33
Security Group Management
• Group management eliminates repetitive steps in
managing user and resource access
• The scope of a group determines its reach for gaining
access to Active Directory objects
• Group types according to scope:
– Local
– Domain local
– Global
– Universal
• Group types according to use:
– Security
– Distribution

34
Implementing Local Groups
• Used on standalone servers that are not
part of a domain
• Also used on member servers in a domain
• Scope does not go beyond the local
server
• Divided on the basis of security access to
the local server
• Created using the Local Users and
Groups tool 35
Implementing Domain Local
Groups
• Used on a single domain or to manage resources in a
particular domain
• Gives global and universal groups from the same or
other domains access to resources
• Usually placed in ACLs to give resource access to its
members
– Access control list (ACL) is a list of security privileges for a
particular object
• Scope is the domain in which the group exists
• Can be converted to a universal group if:
– Other domain local groups are not contained within it
– Domain is in Windows Server 2003 mode

36
37
Domain Functional Levels
• Determined by the type of servers in a domain
• Three functional-level modes:
– Windows 2000 mixed mode
• Combination of NT, 2000, and 2003 servers
– Windows 2000 native mode
• Only 2000 and 2003 servers
– Windows 2003 mode
• Only 2003 servers
• The default mode is either mixed or native
– Change the mode through the Raise Functional Level
dialog box

38
Implementing Global Groups
• Intended to contain user accounts from a single domain
• Used to manage group accounts in a domain so that the
accounts can access resources in the same domain and
in other domains
• Can access resources in other domains through
membership in other global, domain local, or universal
groups
• Can contain user accounts and other global groups from
the domain in which it was created
• Can be converted to a universal group with the same
restrictions as domain local groups
39
40
41
Implementing Universal Groups
• Used to provide easy access to resources in any domain
within a forest
• Membership can include user accounts, global groups,
and universal groups from any domain
• Provides ability to manage security for single accounts
with minimal effort
• Simplifies access when there are multiple domains
• To create a universal group, it may be necessary to
convert the domain to Windows Server 2003 mode

42
43
Guidelines for Security Groups
• Use global groups to hold accounts as members
• Keep nesting of global groups to a minimum
• Give accounts access to resources by making
their global group members of other groups
• Use domain local groups to provide access to
resources in a specific domain
• Avoid placing accounts in domain local groups
• Use universal groups to provide extensive
access to resources by placing them in ACLs
44
Properties of Groups
• General
– Modify description, scope and type of group, and e-
mail addresses for a distribution group
• Members
– Add or remove members from a group
• Member Of
– Add or remove the group’s membership in another
group
• Managed by
– Establish an account or group that manages the
group
45
Implementing User Profiles
• Local user profile
– Stored on the local computer
– Multiple users can use the same computer and
maintain customized settings
• Roaming profile
– Downloaded to the client from the server
– Same settings are available to users regardless of the
computer they log on
• Mandatory profile
– Stored on the server
– A user can modify, but not save settings
46
47
Summary
• Active Directory
– Directory service that provides ways to manage resources in a
network
• Object
– Most basic component in Active Directory
– Defined through an information set called a schema
• Global catalog
– Stores information about every object
– Replicates key elements
– Authenticates user logons
• Namespace
– Uses the DNS namespace for name resolution
– Active Directory requires a DNS server
48
Summary
• Active Directory hierarchy
– Forest, trees, domains, organization units, and sites
• Active Directory design
– Keep the structure as simple as possible
• User accounts
– Customize account properties
– Management tasks include disabling, enabling, renaming,
moving, and deleting accounts
• Security group management
– Local, domain local, global, and universal groups
• User profiles
– Used to customize accounts

49