Download presentation
1
Administering Active Directory
Chapter 3 Administering Active Directory
2
Objectives Create and modify Active Directory objects such as organizational units, users, computers, and groups Identify and troubleshoot Active Directory group types and scopes Administer Active Directory object permissions Manage and troubleshoot Active Directory replication
3
Administering Active Directory Objects
Types of objects stored in the Active Directory database: Container object Used to contain and organize related objects within the Active Directory hierarchy Can consist of other child containers or leaf objects Example: organizational unit (OU) Leaf object Represents resources within a selected domain Stored within a container Cannot contain other objects Examples: user object, computer object
4
Administering Active Directory Objects (Continued)
Administrative Tools menu Contains a number of management tools, such as Active Directory Users and Computers Active Directory Sites and Services Active Directory Domains and Trusts
5
Exploring Active Directory Users and Computers
MMC application with the filename of Dsa.msc Primary administration tool used to manage the following within an Active Directory domain Users Groups OUs Published information One of the tools used to create and manage Group Policy objects
6
Viewing the Active Directory Users and Computers console
7
Exploring Active Directory Users and Computers (Continued)
Default container objects Several container objects are automatically created when a Windows Server 2003 server is promoted to domain controller Active Directory Users and Computers can create a number of objects within a domain
8
Purpose of the default container objects in Active Directory
9
Objects available in Active Directory Users and Computers
10
Creating Organizational Units
Organizational unit (OU) A logical container that contains other objects, such as Users Groups Computers Published resources Other OUs Can only consist of objects from its home domain Main reason to create an OU Organize and partition a single domain into logical administrative units
11
Creating Organizational Units (Continued)
Things to keep in mind when designing an OU structure Administrative delegation Group Policy Goal in designing a domain The domain should be Logically organized Easy to administer Easy to control
12
Creating New User Accounts
User account object Represents all the information that defines a physical user with access permissions to the network Can assist in the administration and security of the network by making it possible to: Require authentication of anyone connecting to network Control access to network resources such as shared folders or printers Monitor access to resources by auditing actions performed by a user logged on with a specific account
13
Creating a new user object
14
Creating New User Accounts (Continued)
Standards on the elements of a user object might include Establishing a naming convention Controlling password ownership Including additional required attributes A number of initial account settings can be configured when creating a user account, such as Whether a user’s password ever expires If the account should initially be disabled
15
Initial account policy options for a new user account
16
Creating New User Accounts (Continued)
Once a user account is created, a number of additional tasks and attributes can be applied, such as: Copy Add to a Group Disable Account Reset Password Move Open Home Page Send Mail Properties
17
Creating New User Accounts (Continued)
To view and modify user account attributes Right-click the user account, then Click Properties Properties dialog box of a user account Tabs allow you to Add specific information, or Enable specific functionality for the user account
18
Properties of a user account object
19
Creating Computer Accounts
An Active Directory object Can be created in two primary ways: During initial installation of client operating system Preconfigured in Active Directory before client installation
20
Creating a new computer object
21
Moving Active Directory Objects
Objects created within the Active Directory Users and Computers console can be moved between containers within the same domain Containers that cannot be moved: Builtin Computers Domain Controllers ForeignSecurityPrincipals Users The default local groups found in the Builtin container cannot be moved
22
Creating Group Objects
Windows Server 2003 group Container object Used to organize collection of users, computers, contacts, or other groups into a single security principal Simplifies administration Rights and resource permissions can be assigned to a group rather than to individual users
23
Creating Group Objects (Continued)
Groups and OUs Similarity Both are used to organize other objects into logical containers Differences Permissions and rights OUs are not security principals and as such cannot be used to define permissions on resources or be assigned rights Active Directory security groups are security principals that can be assigned both permissions and rights
24
Creating Group Objects (Continued)
Objects that they can contain OUs can only contain objects from their parent domain Some groups can contain objects from any domain within the forest
25
Group Types Windows Server 2003 allows two group types:
Distribution group Typically used with applications to provide a list of users (Microsoft Exchange) Cannot be used to assign access permissions Does not have associated SID Cannot be listed in in discretionary access control lists (DACLs) used to define permissions on resources and objects. Security group Primarily used to grant access Defined by Security Identifier (SID) Can be listed in DACLs. Can also be used like a distribution group for , if the group has an address assigned
26
Group Scopes Group scope
The logical boundary within which a group can be assigned permissions to a specific resource within the domain or forest Security and distribution groups in Active Directory can be assigned one of three possible scopes Global Domain local Universal
27
Global A global group Can be assigned permissions to any resource in any domain within the forest Can only contain members of the same domain in which it is created Mainly used to organize user objects into logical groupings according to function(role, task, or title).
28
Domain Local A domain local group
Can only be assigned permissions to a resource available in the local domain in which it is created Group membership can come from any domain within the forest Mainly used to assign access permissions to a resource
29
Universal A universal group
Can be assigned permissions to any resource in any domain within the forest Purpose: Used to organize users or groups of users in global groups. Implemented via GC Replication traffic limits usabilityïƒ Solution? Differences between universal and global groups A universal group can consist of user objects from any domain in the forest; global groups can only consist of user objects from the same domain Universal groups are only available when a domain is configured in Windows 2000 native mode or the Windows Server 2003 functional level
30
Windows Server 2003 group summary
31
Creating Group Objects
Steps to create group objects in Active Directory Decide in which container object the group should be created Choose an appropriate group name, scope, and type To create universal groups A domain must be switched to native mode
32
Modifying Group Memberships
Membership can be added once a group object is created Depending upon which type of group is created, Windows Server 2003 groups can possibly contain Users Contacts Other groups Computers
33
Adding or modifying memberships
34
Changing a Group Scope A group can change its scope as long as group’s membership rules are not violated Rules for changing group scopes You can only change a global group to a universal group as long as it is not a member of another global group You can only change a domain local group to a universal group as long as it does not contain any other domain local groups as a member
35
Understanding the Built-in Local Groups
Built-in local security groups Have various preassigned rights Can be used to allow users to perform certain network tasks Ease the implementation of delegation and security rights throughout the network Found in Builtin container Built-in global groups Found in Users container
36
Local groups and their rights
37
Viewing built-in global groups
38
Managing Security Groups
User Accounts Acronym A G U DL P can be used to implement the use of security groups Create user Accounts, and organize them within Global groups Often users are grouped in global groups based on departments in the organization. Optional: Create Universal groups and place global groups from any domain within the universal groups. Global Groups A G Universal Groups U
39
Managing Security Groups (Continued)
Domain Local Groups Create Domain Local groups that represent the resources in which you want to control access and add the global or universal groups to the domain local groups 4. Assign Permissions to the domain local groups DL Permissions P
40
GROUPS AND THEIR USERS The access token is built during the logon process. The access token is compared to entries in the Access Control List (ACL) of resources, called Access Control Entries (ACEs). The user is allowed to access the resource based upon group membership. Multiple users can gain access to a single resource or to obtain a group of permissions, such as changing the system time, shutting down the computer, and so on, just by being a member of a group. The access token is built during the logon process. The access token is compared to entries in the Access Control List (ACL) of resources, called Access Control Entries (ACEs). The user is allowed to access the resource based upon group membership.
41
GROUP NESTING: WINDOWS 2000 NATIVE OR LATER DOMAIN FUNCTIONAL LEVEL
create groups that hold other groups. This allows you to further organize or separate your administrative hierarchy. You can use additional groups, which are either global or universal, to create groups that hold other groups. This allows you to further organize or separate your administrative hierarchy. The broken arrows in this diagram illustrate some of the options for nesting groups.
42
Administering Permissions in Active Directory
Active Directory uses permissions to protect the creation, deletion, or viewing of objects within the database By default, administrators have full access to all objects within the domain Users are given the initial permission to read most attributes of the objects stored in the database
43
Active Directory Object Permissions
Active Directory objects can be assigned permissions at two levels: Object-level permissions Define which types of objects a user or group can view, create, delete, or modify within Active Directory Can be applied according to a preconfigured set of standard permissions Attribute-level permissions Define which attributes of a certain object a user or group can view or modify within Active Directory
44
Common standard permissions available in Windows Server 2003 Active Directory
45
Permission Inheritance
By default, all child objects inside a container object inherit permissions from parent objects Permission inheritance and careful planning can eliminate the need to assign permissions to Every container object, or Every object inside a container The default inheritance of permissions can be modified by blocking the inheritance at a container or object level
46
Delegating Authority Over Active Directory Objects
Steps to delegate the administration of Active Directory Design OU structure so that the administration work can be distributed Configure the appropriate level of administrative permissions for each administrator Delegation of Control Wizard Guides you through the process of determining the permissions that you want to delegate Configures permissions for the object and child objects
47
Delegating an administrative task in Active Directory
48
Managing Active Directory Replication
The process of directory data being synchronized and maintained between domain controllers throughout the domain Multi-master replication model Used by Windows Server 2003 Multiple domain controllers have the authority to update and replicate database changes to each domain controller Provides a level of fault tolerance
49
Managing Active Directory Replication
Domain Controller B Domain Controller C Domain Controller A Multimaster Replication
50
Replication Components and Processes
When an object is created, deleted, or modified, replication has to take place among all domain controllers within the domain Originating update Initial modification to the database on a specific domain controller Replicated updates All synchronized copies sent to other domain controllers Replication latency Time that it takes to replicate an update to another domain controller
51
How Replication Works Replication Add Modify Move Delete
Active Directory Update Replication Originating Update Domain Controller A Domain Controller B Domain Controller C Replicated Update Add Modify Move Delete
52
Replication Latency Replication
Default Replication Latency (initial change notification delay + subsequent notification delay ) = 15 sec + 3 sec When No Changes, Scheduled Replication = One Hour Urgent Replication = Immediate Change Notification Replicated Update Change Notification Domain Controller B Replication Originating Update Domain Controller A Change Notification Replicated Update Domain Controller C
53
Identifying Replication Problems
Three main areas that can cause potential conflict within the database Attribute value errors Occur when the same attribute of an object is edited at the same time on two different domain controllers Placing objects within containers marked for deletion Occurs when one administrator deletes a container, while another administrator creates an object or moves an object into the deleted container before replication takes place
54
Identifying Replication Problems (Continued)
Sibling name errors Occur if two administrators concurrently create an object with the same relative distinguished name on two different domain controllers To help resolve possible conflicts Active Directory applies unique stamps to every attribute that is replicated
55
Resolving Replication Conflicts
Domain Controller A Domain Controller B Stamp Stamp Originating Update Originating Update Conflict Conflict Version Number Timestamp Server GUID Stamp
56
Identifying Replication Problems
Tools that can assist in viewing replication information or diagnosing replication problems Event Viewer DCDIAG Replication Monitor
57
Summary Active Directory Users and Computers
Primary tool used to manage users, groups, OUs, and published information within a domain Main goal when designing an OU structure A granular structure that meets the group policy and delegation needs of the organization Possible standards regarding user accounts Establishing a naming convention Determining password ownership Determining which attributes are required
58
Summary (Continued) A computer account
Can be created automatically during the initial client installation of the operating system Can be preconfigured in Active Directory before the initial installation Types of groups in Windows Server 2003 Security groups Distribution groups Possible group scopes Domain local Global Universal
59
Summary (Continued) Acronym A G U DL P
Can be used when implementing the use of security groups Active Directory permissions can be assigned at Object level Attribute level Delegation of Control Wizard Simplifies the process of applying and delegating Active Directory object permissions
60
Summary (Continued) Main replication problems
Attribute-level conflicts Sibling name conflicts Creating or moving objects to deleted containers
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.