© N. Ganesan, Ph.D., All rights reserved. Active Directory Nanda Ganesan, Ph.D.

Objective Outline the step-by-step installation and configuration of Active Directory

References indowsserver2003/library/DepKit/d2ff e4-acdc-8cae1b593eb1.mspxhttp:// indowsserver2003/library/DepKit/d2ff e4-acdc-8cae1b593eb1.mspx nol/windowsserver2003/technologies/director y/activedirectory/stepbystep/domcntrl.mspx #EFAAhttp:// nol/windowsserver2003/technologies/director y/activedirectory/stepbystep/domcntrl.mspx #EFAA

Active Directory A directory service for the efficient management of users, resources and privileges that is based on standard protocols

Active Directory An efficient directory management service for users, resources and privileges that is based on standard Internet protocols

Active Directory Structure Domains Domain Trees Domain Forests

Active Directory Objects An object is a distinct named set of attributes that represents a network resource. Typical objects are users, groups, computers and printers. Each object has a number of attributes. For example, the user object has attributes such as password, name, password length and address.

Active Directory Groups Objects are typically grouped into classes, such as groups (a number of user accounts), computers and printers. When objects are grouped together, they are placed into a container that holds the objects (its like a desk draw that holds a number of objects).

AD Purpose Keep a central list of users and passwords Provide a set of servers to act as “authentication servers” known as a Domain Controller Maintain a searchable index of the things in the domain Allow you to create users with different levers of powers

Some AD Uses Multiple selection of user objects Drag and Drop functionality Efficient search capabilities Saved Queries

Requirements The computer must be Windows 2k, 2k3 Server, Advanced Server or Datacenter Server. At least one volume on the computer must be formatted with NTFS. DNS must be active on the network prior to AD installation or be installed during AD installation. DNS must support SRV records and be dynamic. The computer must have IP protocol installed and have a static IP address. The Kerberos v5 authentication protocol must be installed. Time and zone information must be correct

Installation Initiation From start menu run DCPROMO

Installing an DNS DNS is required for AD to function –Client use DNS to locate ad controllers –Servers and client computers register their names and IP addresses with DNS for IP resolution

Accessing AD Tools From start menu choose administrative tools and then AD tools

Creating a Child Domain Requirements –Existing domain –Member server

Active Directory Correction Locate and ensure that the domain controller is present to create a child domain

Group Policy Defines the various components of the users desktop environment that an administrator must manage Applies not only to user and client computers but also to member servers, domain controllers, and other 2003 server in scope of management

Groups Policy Continued Manage registry-based policy with Administrative Templates Assign scripts. This includes scripts such as computer startup, shutdown, logon, and logoff redirect folders, such as My Documents and My Pictures, from the Documents and Settings folder on the local computer to network locations

Active Directory Users and Computers AD users and computers AD users and computers are different from local users and computers

AD Users and Computers

Joining a Domain Computers may have to join a domain to be able to access the resources

Auditing Active Directory There are numerous options to configure auditing of usage It allows you to target specific activities, instead of taking a wider sweep of all activity on a computer. with a narrower scope of what you are auditing, will result in smaller logs which make reviewing the logged information more efficient. Finally, reducing the auditing options to just what you need will reduce the load on the computer, allowing it to provide more resources to other activities.

Auditable Features Account logon and logon events Object access Account management Directory service access Policy change System events Process tracking Privilege

Auditing Logon and Logon Events It keeps track of who tried to log on to what server This will audit each time a user is logging on or off from another computer in which the computer performing the auditing is used to validate the account. Example Windows XP logon to DC

Auditing Object Access This security setting determines whether to audit the event of a user accessing an object Example, a file, folder, registry key, printer, and so forth--that has its own system access control list (SACL) specified

Auditing Account Management Any changes to user or group accounts get logged here Examples: – Create a user – Create a group – Modify a group’s membership – Change a password

Auditing Privilege Use Determines whether to audit each instance of a user exercising a user right Too many outputs for every right exercised Be prepared for larger logs files Examples: – Logging on – Shutting down – Changing the system time

Auditing System Events Determines whether to audit when a user restarts or shuts down the computer or an event has occurred that affects either the system security or the security log Not many entries Logs whenever machine is restarted/shut down –Example: When you clear the security log or resize it

Auditing Directory Service Access This will audit each event that is related to a user accessing an Active Directory object which has been configured to track user access through the System Access Control List (SACL) of the object

Auditing Process Tracking Mostly used by programmers Tracks activity between program and the Operating systems

THE END