1. Session 7 Windows Platform Eng. Dina Alkhoudari

2. Learning Objectives Active Directory review Managing users and groups Single Master Operations Delegation of Administrative Controls

3. Active Directory Domain Service Review a directory service is a distributed database that allows us to store information about network resources in order to facilitate their implementation and management. Objects are organized hierarchically according to a scheme (which is stored in the directory) defining the attributes as well as the organization of objects. Logical Components of AD: data store, OU, Domain, Domain Controller, Tree, Forest Physical Components: Sites, Subnets, Links A namespace organizes the descriptions of resources in order to enable users to locate these resources from their characteristics or properties

4. Active Directory Domain Service Review The global catalog is the set of all objects in an Active Directory Domain Services (AD DS) forest. Replication: - With Active Directory, all domain controllers replicate information automatically on all other domain controllers in a multi-master replication mode. - Each time an object is modified in one of the domain controllers, the USN is incremented and recorded with the object property.

5. Managing users and groups Users accounts are two types - local user accounts - domain user accounts Groups are used to collect items and manage them as a single entity Groups are two types: are security principals with SIDs. These groups can therefore, be used as permissions entries in ACLs to control security for resource access. Security groups can also be used as distribution groups by e-mail applications. If a group will be used to m- security groups anage security, it must be a security group. - Distribution groups: used primarily by e-mail application. These groups are not security enabled; they do not have SIDs, so they cannot be given permissions to resources.

6. Managing users and groups There are four scopes of groups: - local groups: these are available to a single computer - domain local groups: used to manage permissions to resouces - Global groups: used primarily to define collections of domain objects based on business roles - universal Groups: ueful in multidomains forests. They enable you to define roles, or to manage resources, that span more than one domain.

7. Managing users and groups

8. Single Master Operations A limited number of operations are not permitted to occur at different places at the same time, these operations are called: Operations masters Operations master roles Single master roles Operations tokens Flexible single master operations (FSMOs) That means one domain controller performs a function, and while it does, no other domain controller performs that function.

9. Single Master Operations AD DS contains five operations master roles. Two roles are performed for the entire forest: Domain naming Schema Three roles are performed in each domain: - Relative identifier (RID) - Infrastructure - PDC Emulator

10. Single Master Operations Domain Naming Master Role: used when adding or removing domains in the forest. When You add or remove a domain, the domain naming master must be accessible, or the operation will fail. Shema Master Role: the DC holding this role is responsible for making any changes to the forest’s schema. All other DCs hold read-only replicas of the schema. If you want to modify the schema or install an application that modifies the schema, it is recommended you do so on the DC holding the schema master role. Otherwise, changes you request must be sent to the schema master to be written into the schema.

11. Single Master Operations RID Master Role: The RID master plays an integral part in the generation of security identifiers (SIDs) for secrity principals such as users, groups, and computer. The SID of a security prinipal must be unique. Because any domain controller can creat acounts and, therfore, SIDs, a mechanism is necessary to ensure that the SIDs generated by a DC are unique. Active Directroy domain controllers generate SIDs by assigning a unique RID to the domain SID. The RID master for the domain allocates pools of unique RIDs to each domain controller in the domain. Thus, each domain controller can be confident that the SIDs it generates are unique. Infrastructure Master Role: In a multidomain environment, it is common for an object to reference objects in other domains. For example, a group can include members from another domain. Its multivalued member attribue contains the distiguished names of each member. If the member in the other domain is moved or renamed, the infrastructure master of the group’s domain updates the group’s member attribute accordingly.

12. Single Master Operations PDC Emulator Role: This role performs multiple, crucial functions for a domain: Emulates a Primary Domain Controller (PDC) for backward compatibility Participates in special password update handling for the domain Manages Group Policy updates within a domain Provides a master time source for the domain Acts as the domain master browser

13. Delegation of Administrative Control Also called the delegation of control, or just delegation It means assigning permissions that manage access to objects and properties in Active Directory.

14. End of Session