Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


COMP 213 - Week 004b - Active Directory Details

Active Directory - Design and Security Active Directory - Account Manager Active Directory Server 2008 - New Features

John Capobianco

on 3 January 2011

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of COMP 213 - Week 004b - Active Directory Details

Active Directory Design Concepts Security Concepts Account Management Active Directory

Directory service that houses information about all network resources such as servers, printers, user accounts, groups of user accounts, security policies, and other information

Active Directory is based upon standards (LDAP and X.500)

Lightweight Directory Access Protocol (LDAP)
Created by the Internet Engineering Task Force (IETF)
Based on the X.500 Directory Access Protocol (DAP)
Forms the base around which Active Directory is built, which allows applications to use LDAP to integrate with Active Directory

LDAP has presence on other operating systems as well and can be used to integrate them with Active Directory Directory service Responsible for providing a central listing of resources and ways to quickly find and access specific resources and for providing a way to manage network resources
Server Types Domain controllers (DCs)
Servers that have the AD DS server role installed
Contain writable copies of information in Active Directory

First domain controller creates more than just a new domain, it also creates the root of a new tree and the root of a new forest
May eventually become necessary to add domains to the tree, create new trees or forests, and add sites to the AD structure

Member servers
Servers on a network managed by Active Directory that do not have Active Directory installed Domain Container that holds information about all network resources that are grouped within it
Every resource is called an object
Multimaster replication
Each DC is equal to every other DC in that it contains the full range of information that composes Active Directory
Active Directory is built to make replication efficient
Schema Active Directory schema
Defines the objects and the information pertaining to those objects that can be stored in Active Directory

Each attribute is automatically given a version number and date when it is created or changed. This information enables Active Directory to know when an attribute value, such as a password, is changed, and update only that value on all DCs.

User account
One class of object in Active Directory that is defined through schema elements unique to that class Global Catalog Stores information about every object within a forest
Store a full replica of every object within its own domain and a partial replica of each object within every domain in the forest

The first DC configured in a forest becomes the global catalog server

The global catalog server enables:

Forest-wide searches of data
Authenticating users when they log on
Providing lookup and access to all resources in all domains
Providing replication of key Active Directory elements
Keeping a copy of the most used attributes for each object for quick access Namespace Active Directory uses Domain Name System (DNS)
There must be a DNS server on the network that Active Directory can access

A logical area on a network that contains directory services and named objects
Has the ability to perform name resolution

Active Directory employs two kinds of namespaces:

Disjoint Namespaces
A disjoint namespace occurs when one or more domain member computers have a primary Domain Name Service (DNS) suffix that does not match the DNS name of the Active Directory domain of which the computers are members. For example, a member computer that uses a primary DNS suffix of corp.fabrikam.com in an Active Directory domain named na.corp.fabrikam.com is using a disjoint namespace.

Discontiguous Namespaces
Discontiguous namespace, also referred to as non-contiguous namespace, is one in which the domains in a forest are not lined up in one hierarchical DNS tree. If the domains in a forest have discontiguous DNS names, they form separate domain trees within the forest. An Active Directory forest can have one or more domain trees. An example of a multi-tree forest would be a forest containing the domains, contoso.com and fabrikam.net.
Disjointed Containers Active Directory has a treelike structure

The hierarchical elements, or containers, of Active Directory include:
Organizational units (OUs)
Forest Forests have the following characteristics:
The trees can use a disjointed namespace
All trees use the same schema
All trees use the same global catalog
Domains enable administration of commonly associated objects, such as accounts and other resources, within a forest
Two-way transitive trusts are automatically configured between domains within a single forest
Consists of one or more Active Directory trees that are in a common relationship
Forest provides a means to relate trees that use a contiguous namespace in domains within each tree
But that have disjointed namespaces in relationship to each other
The advantage of joining trees into a forest is that all domains share the same schema and global catalog Forest functional level determines the features of Active Directory that have forest-wide implications

A Server 2008 domain controller supports the following functional levels:

Windows 2000
Lacks the ability to use forest trusts and to rename a domain

Windows 2003
Supports all the features present in Windows 2000, plus the following features: forest trusts, Knowledge Consistency Checker (KCC) improvements, linked-value replication, rename a domain, read only domain controller deployment

Windows 2008
All the features of 2003, but no additional features (yet) Tree Tree has the following characteristics:
Contains one or more domains that are in a common relationship
Domains are represented in a contiguous namespace and can be in a hierarchy
Two-way trust relationships exist between parent domains and child domains
All domains in a single tree use the same schema for all types of common objects
All domains use the same global catalog
The domains in a tree typically have a hierarchical structure
Such as a root domain at the top and other domains under the root

The domains within a tree are in what is called a Kerberos transitive trust relationship
Which consists of two-way trusts between parent domains and child domains
Because of the trust relationship between parent and child domains, any one domain can have access to the resources of all others Domain Microsoft views a domain as a logical partition within an Active Directory forest
A domain is a grouping of objects that typically exists as a primary container within Active Directory

The basic functions of a domain are as follows:
To provide an Active Directory ‘‘partition’’ in which to house objects that have a common relationship, particularly in terms of management and security
To establish a set of information to be replicated from one DC to another
To expedite management of a set of objects Organizational Unit Organizational unit (OU)
Offers a way to achieve more flexibility in managing the resources associated with a business unit, department, or division than is possible through domain administration alone

An OU is a grouping of related objects within a domain
OUs allow the grouping of objects so that they can be administered using the same group policies

OUs can be nested within OUs
Microsoft recommends that you limit OUs to 10 levels or fewer
Active Directory works more efficiently when OUs are set up horizontally instead of vertically
The creation of OUs involves more processing resources because each request through an OU requires CPU time Site A site has the following functions:
A TCP/IP-based concept (container) within Active Directory that is linked to IP subnetsReflects one or more interconnected subnets
Sites are based on connectivity and replication functions
Reflects the physical aspect of the network
Is used for DC replication
Is used to enable a client to access the DC that is physically closest
Is composed of only two types of objects, servers and configuration objects Reasons to define a site
Enable a client to access network servers using the most efficient physical route
DC replication is most efficient when Active Directory has information about which DCs are in which locations

One advantage of creating a site is that it sets up redundant paths between DCs
Paths are used for replication

Bridgehead server
A DC that is designated to have the role of exchanging replication information
Only one bridgehead server is set up per site Benefits of using OUs
You can create familiar hierarchical structures based on an organizational chart to allow easy resource access
Delegation of administrative authority
Able to change OU structure easily
Can group users and computers for the purposes of assigning administrative and security policies
Can hide AD objects for confidentiality or security reasons
Delegation Delgation of Control Delegation of control means a person with higher security privileges assigns authority to a person of lesser security privileges to perform certain tasks

Allows specific control of what someone with delegated control may do

Commonly delegated tasks include:
Create, delete, and manager user accounts
Reset user passwords and force password change at next logon
Read all user information
Create, delete, and manage groups
Modify the membership of a group
Manage group policy links
Generate Resultant Set of Policy (Planning)
Generate Resultant Set of Policy (Logging)
Custom tasks can be created for delegation as well, but you must fully understand the nature of objects, permissions, and permission inheritance

Knowledge of permissions and how they work is important regardless of whether you use custom tasks or not

By default, the OU’s properties don’t show that another user has been delegated control
Instead, to verify who has been delegated control of an OU, you must view the OU’s permissions AD Object Permissions Three types of objects can be assigned permission to access an AD object: Users, groups, and computers; these object types are referred to as security principals

AD object’s security settings are composed of three components:

Discretionary Access Control List (DACL)
Each entry referred to as an access control entry (ACE)

Object owner
Usually the user account that created the object or a group or user who has been assigned ownership

System Access Control List (SACL)
Defines the settings for auditing access to an object
Each object has a list of standard permissions and a list of special permission

Each permission can be set to Allow or Deny, and five standard permissions are available for most objects
Full control
Create all child objects
Delete all child objects
Users can be assigned permission to an object in three different ways
User’s account is added to the object’s DACL, a method referred to as explicit permission
A group the user belongs to is added to the object’s DACL
The permission is inherited from a parent object’s DACL to which the user or group account has been added

A user’s effective permissions are a combination of the assigned permissions

Deny permissions override Allow permissions
Exception: When the Deny permission is inherited from a parent object and the Allow permission is explicitly added to the object’s DACL, the Allow permission takes precedence
Unsing Deny If a security principal isn’t represented in an object’s DACL, it doesn’t have access to the object

Deny permissions are not required for every object to prevent access

Deny permission usually used in cases of exception, such as when you don’t want a user to be able to delete child objects in an OU, but still want to grant access
Inheritance Permission inheritance defines how permissions are transmitted from a parent object to a child object

All objects in AD are child objects of the domain

By default, permissions applied to the parent OU with the Delegation of Control Wizard are inherited by all child objects of that OU
Advanced Features Option Default settings in AD Users and Computers hide some system folders and advanced features, but you can display them by enabling the Advanced Features option from the view menu
Afterwards, four new folders are shown
Program Data
NTDS (NT Directory Service)

Properties dialog box of domain, folder, and OU objects will now have three new tabs
Used to view detailed information about a container object

Used to view and modify an object’s permissions

Attribute Editor
Used to view and edit an object’s attributes
Effective Permissions Effective permissions for an object are a combination of the allowed and denied permissions assigned to a security principal

Can come from assignments made directly to a single user account or to a group the user belongs to

Explicit permissions override inherited permissions and can create some exceptions to the rule that Deny permissions override Allow permissions

Most common settings for permission inheritance
This object only
The permission setting isn’t inherited by child (descendant) objects

This object and all descendant objects
The permission setting applies to the current object and is inherited by all child objects

All descendant objects
The permission setting doesn’t apply to the selected object but is inherited by all child objects

Descendant [object type] objects
The permission is inherited only by specific child object types, such as user, computer, or group objects

Permission inheritance is enabled by default on child objects but can be disabled GPRESULT and RSOP Group Policy Results or Resultant Set of Policies Terminology Directory Partitions
Operations Master Roles
Active Directory Replication
Trust Relationships
Each section of an Active Directory database is referred to as a directory partition; there are five directory partition types in the AD database:

Domain directory partition
Contains all objects in a domain, including users, groups, computers, OUs, and so forth

Schema directory partition
Contains information needed to define AD objects and object attributes

Global catalog partition
Holds the global catalog, which is a partial replica of all objects in the forest

Application directory partition
Used by applications and services to hold information that benefits from

Configuration partition
Holds configuration information that can affect the entire forest
Several operations in a forest require having a single domain controller, called the operations master, with sole responsibility for the function

First domain controller in the forest generally takes on the role of the operations master

If necessary, responsibility for these roles can be transferred to another domain controller
DC performing the role was the first DC in the forest and therefore holds all roles
DC performing the role is being moved to a location that isn’t well suited for the role
The current DC’s performance is inadequate because of the resources the FSMO role requires
The current DC is being taken out of service temporarily or permanently There are five operations master roles, referred to as Flexible Single Master Operation (FSMO) roles in an AD forest:
Schema master
Infrastructure master
Domain Naming master
RID master
PDC Emulator master

When removing DCs from a forest, be careful that these roles are not removed from the network accidentally Replication is the process of maintaining a consistent database of information when the database is distributed among several locations

Intrasite and intersite replication use the same basic processes to replicate Active Directory data

Intrasite replication
Replication between domain controllers in the same site

Initiated in one of two ways
Periodic replication

Intrasite replication involves two main components:
Knowledge Consistency Checker (KCC)
Connection objects

Intersite replication
Occurs between two or more sites
Replication is optimized to take slower WAN links into account

Multimaster replication
Used by AD for replacing AD objects

Knowledge Consistency Checker (KCC) runs on all DCs
Determines the replication topology, which defines the domain controller path that AD changes flow through and ensures no more than three hops exist between any two DCs In Active Directory, a trust relationship defines whether and how security principals from one domain can access network resources in another domain

Since Windows 2000 AD, trust relationships are established automatically between all domains in the forest

Trusts do not equal permissions

DNS must be configured so that FQDNs of DCs in all participating domains can be resolved All domains in a forest share some common characteristics:
A single schema
Forestwide administrative accounts
Operations masters
Global catalog
Trusts between domains
Replication between domains
Global Catalog Global Catalog servers perform the following vital functions:
Facilitate domain and forestwide searches
Facilitate logon across domains; users can log on to computers in any domain by using their user principal name (UPN)
Hold universal group membership information
Forest Root Domain First domain is the forest root and is referred to as the forest root domain

Imperative to the functionality of AD; if it disappears, the entire structure ceases to operate

Functions the forest root domain usually handles:
DNS server
Global catalog server
Forestwide administrative accounts
Operations masters Due to the importance of the forest root domain’s functionality, some organizations choose a dedicated forest root domain

The advantages of running a dedicated forest root domain include the following:
More secure
More manageable
More flexible Design Most organizations operate under a single AD forest, which has a number of advantages:
A common Active Directory structure
Easy access to network resources
Centralized management
Lower Costs

The advantages of single forest structure are also limitations in many aspects; diversity within an organization may make single forest design unfeasible

Multiple forest design includes the following advantages:
Differing schemas are possible
Security boundaries
Separate administration
Compatibility with a Windows NT domain
Need for differing account policies
Need for different name identities
Replication control
Need for internal versus external domains
Need for tight security
Trusts allow users in one domain to access resources in another domain, without requiring a user account on the other domain

Types of trust
One-way and two-way trusts
Transitive trusts
Shortcut trusts
Forest trusts
External trusts
Realm trusts
One-way trust exists when one domain trusts another, but the reverse is not true
When domainA trusts domainB, users in domainB may access resources in domainA but not vice versa
In this case, domainA is the Trusting domain, and domainB is the Trusted domain

More common is the two-way trust, in which users from both domains can be given access to resources in the other domain One-Way and Two-Way Transitive A transitive trust is named after the transitive rule of equality in mathematics: if A=B and B=C, then A=C

If one domain trusts another domain and that domain trusts a third domain, then the first domain has a transitive trust with the third domain

In order to authenticate a user, a referral must be made to a domain controller in each domain in the path to the destination; this can cause substantial delays Shortcut A shortcut trust is configured manually between domains to bypass the normal referral process

Shortcut trusts are transitive and can be configured as one-way or two-way trusts between domains in the same forest

Shortcut trusts can reduce delays caused by referral processes
Forest A forest trust provides a one-way or two-way transitive trust between forests that allows security principals in one forest to access resources in any domain in another forest
Are not possible in Windows 2000 forests

They are transitive in the sense that all domains in one forest trust all domains in another forest, but the trust isn’t transitive from one forest to another External An external trust is a one-way or two-way nontransitive trust between two domains that aren’t in the same forest

An external trust is not transitive and is nearly identical to creating a forest trust

Generally used in these circumstances:
To create a trust between two domains in different forests
To create a trust with a Windows 2000 or Windows NT domain Realm Can be used to integrate users of other OSs into a Windows Server 2008 domain or forest

This requires the OS to be running the Kerberos V5 authentication system that AD uses

Kerberos is an open-standard security protocol used to secure authentication and identification between parties in a network

When creating a realm trust, main consideration should be whether or not it should be transitive
Sites AD site represents a physical location where DCs are placed and group policies can be applied

AD object containing domain controllers and replication settings and is usually associated with IP subnets and site links

First DC of a forest creates a site named Default-First-Site-Name once installed

Three main reasons for establishing multiple sites:
Authentication efficiency
Replication efficiency
Application efficiency

Sites are created using Active Directory Sites and Services

Sites are usually geographically dispersed and connected by WAN links

When you create a site, you’re asked to select a site link
DEFAULTIPSITELINK is the only choice unless you’ve created other site links Guidelines Above all, keep Active Directory as simple as possible
Plan its structure before you implement it

Implement the least number of domains possible
With one domain being the ideal and building from there

Implement only one domain on most small networks

Use OUs to reflect the organization’s structure

Create only the number of OUs that are absolutely necessary
Do not build an Active Directory with more than 10 levels of OUs

Use domains as partitions in forests to demarcate commonly associated accounts and resources governed by group and security policies

Implement multiple trees and forests only as necessary

Use sites in situations where there are multiple IP subnets and multiple geographic locations
As a means to improve logon and DC replication performance

Guidelines to help simplify how you plan to use groups:
Use global groups to hold accounts as members
Use domain local groups to provide access to resources in a specific domain
Use universal groups to provide extensive access to resources Accounts Default accounts:
Administrator and Guest

User accounts have two main functions in AD
Provide a method for user authentication to the network
Provide detailed information about a user

Windows machines that are not part of a domain store accounts in the Security Accounts Manager (SAM) database on the local machine

User accounts created in AD are referred to as domain user accounts; these accounts can usually log on to any computer that’s in the AD forest

Accounts can be set up in two general environments:
Accounts that are set up through a stand-alone server that does not have Active Directory installed
Accounts that are set up in a domain when Active Directory is installed Create Disabling, Renaming, and Enabling Move Change Password Delete Activities 4-4 - 4-8 Security Group Management One of the best ways to manage accounts is by grouping accounts that have similar characteristics

Scope of influence (or scope)
The reach of a group for gaining access to resources in Active Directory

Types of groups:
Domain local
All of these groups can be used for security or distribution groups
Security groups
Used to enable access to resources on a stand-alone server or in Active Directory

Distribution groups
Used for e-mail or telephone lists, to provide quick, mass distribution of information
A distribution group is used to group users together mainly for sending e-mails to several people at once with an Active Directory integrated e-mail application, such as Microsoft Exchange

Can have the following objects as members:
User accounts
Other distribution groups
Security groups
Computers Local Local security group
Used to manage resources on a stand-alone computer that is not part of a domain and on member servers in a domain

Instead of installing Active Directory, you can divide accounts into local groups
Each group would be given different security access based on the resources at the server

A local group is created in the local SAM database on a member server or workstation or a stand-alone computer

When a computer joins a domain, Windows changes the membership of two local groups automatically
Administrators: Domain Admin global group added
Users: Domain users global group added

Local groups can have the following account types as members:
Local user accounts
Domain user accounts
Domain local groups
Global or universal groups Domain Local Domain local security group
Used when Active Directory is deployed
Typically used to manage resources in a domain and to give global groups from the same and other domains access to those resources

The scope of a domain local group is the domain in which the group exists

The typical purpose of a domain local group is to provide access to resources
You grant access to servers, folders, shared folders, and printers to a domain local group Global Global security group
Intended to contain user accounts from a single domain
Can also be set up as a member of a domain local group in the same or another domain

A global group can contain user accounts and other global groups from the domain in which it was created

A global group can be converted to a universal group
As long as it is not nested in another global group or in a universal group A typical use for a global group is to build it with accounts that need access to resources in the same or in another domain
And then to make the global group in one domain a member of a domain local group in the same or another domain

This model enables you to manage user accounts and their access to resources through one or more global groups
While reducing the complexity of managing accounts Activity 4-9: Creating Domain Local and Global Security Groups Universal Universal security groups
Provide a means to span domains and trees

Universal group membership can include user accounts from any domain, global groups from any domain, and other universal groups from any domain

Universal groups are offered to provide an easy means to access any resource in a tree
Or among trees in a forest You can configure the properties of a specific group
By double-clicking that group in the Local Users and Groups tool for a stand-alone (nondomain) or member server
Or in the Active Directory Users and Computers tool for DC servers in a domain

Properties are configured using the following tabs:
Member Of
Managed By
User Profiles A local user profile is automatically created at the local computer when you log on with an account for the first time

The profile can be modified to consist of desktop settings that are customized for one or more clients who log on locally

Multiple users can use the same computer and maintain their own customized setting
Profiles can be stored on a network server so they are available to users regardless of the computer they use to log on (roaming profile)
Profiles can be made mandatory so users have the same settings each time they log on (mandatory profile) One way to set up a profile is to first set up a generic account on the server with the desired desktop configuration
Then copy the Ntuser.dat file to the \Users\Default folder in Windows Server 2008

To create the roaming profile, set up a generic account and customize the desktop
Set up those users to access a profile by opening the Profile tab in each user’s account properties and entering the path to that profile
What's New Five new features deserve particular mention:
Restart capability
Read-Only Domain Controller
Auditing improvements
Multiple password and account lockout policies in a single domain
Active Directory Lightweight Directory Services role Active Directory 2008 Restart Capability Windows Server 2008 provides the option to stop Active Directory Domain Services
Without taking down the computer

After your work is done on Active Directory, you simply restart Active Directory Domain Services
Read-Only Domain Controller RODC
You cannot use it to update information in Active Directory and it does not replicate to regular DCs

An RODC can still function as a Key Distribution Center for the Kerberos authentication method

The purpose of having an RODC is for better security at branch locations
Where physical security measures might not be as strong as at a central office

An RODC can also be configured as a DNS server
Audit Improvements Server administrators can now create an audit trail of many types of changes that might be made in Active Directory, including when:
There are attribute changes to the schema
Objects are moved, such as user accounts moved from one OU to a different one
New objects are created, such as a new OU
A container or object is deleted and then brought back, even if it is moved to a different location than where it was originally located

You must set up Active Directory auditing in two places:
Enable a Domain Controllers (global) Policy to audit successful or failed Active Directory change actions
Configure successful or failed change actions on specific Active Directory objects or containers Password and Account Policy Improvements You can set up multiple password and account lockout security requirements
And associate them with a security group or user

You can also associate them with an OU by creating a ‘‘global shadow security group’’
A group that can be mapped to an OU
This process is called setting up ‘‘fine-grained password policies’’ AD LDS Active Directory Lightweight Directory Services (AD LDS) role
Targeted for servers that manage user applications
Enables the applications to store configuration and vital data in a central database

AD LDS is more forgiving than AD DS
If you make a mistake in a modification the mistake in most circumstances does not affect how users access their accounts and resources in a domain

AD LDS is installed as a server role via Server Manager
Summary Active Directory (or AD DS) is a directory service to house information about network resources

Active Directory is based on the X.500 and LDAP standards, which are standard protocols for defining, storing, and accessing directory service objects

Servers housing Active Directory are called domain controllers (DCs)

The most basic component of Active Directory is an object

OUs, the building blocks of the AD structure in a domain, can be designed to mirror a company’s organizational chart; delegation of control can be used to give users some management authority in an OU

The global catalog stores information about every object, replicates key Active Directory elements, and is used to authenticate user accounts when they log on A namespace consists of using the Domain Name System for resolving computer and domain names to IP addresses and vice versa

Active Directory is a hierarchy of logical containers: forests, trees, domains, and organizational units

You can delegate management of many Active Directory containers to specific types of administrators

User accounts enable individual users to access specific resources On a stand-alone or member server, you can create local security groups to help manage user accounts

User profiles are tools for customizing accounts

The ability to stop and restart Active Directory without taking down a DC is new to Windows Server 2008

Three additional new features include new Active Directory auditing capabilities, fine-grained password policies, and the Active Directory Lightweight Directory Services role
Site Links
A site link is needed to connect two or more sites for replication purposes
Determine replication schedule and frequency between two sites
Additional site links can help adjust the replication schedule according to a network’s link characteristics
Descriptive names should be used for site links
A site can exist in more than one site link
Intersite replication topology is determined by cost value associate with site links
Large organizations might require multiple domains, trees, and forests

Directory partitions are sections of the AD database that hold varied types of data and are managed by different processes

The forest is the broadest logical AD component; all domains in a forest share some common characteristics, such as a single schema, the global catalog, and trusts between domains Trusts permit domains to accept user authentication from another domain and facilitate cross-domain and cross-forest resource access with a single logon

A domain is the primary identifying and administrative unit of AD; each domain has a unique name, and there’s an administrative account with full control over objects in the domain

An AD site represents a physical location where domain controllers reside Administrator:
Local administrator account has full access to all aspects of a computer, while domain administrator account has full access to all aspects of the domain
Default Administrator account should be renamed and given a strong password
Administrator account should only be used while performing administrative operations
Administrator account can be renamed or disabled but not deleted
Guest account is disabled by default after install and must be enabled before it can be used for logon
Guest account can have a blank password
Should be renamed if it is to be used
Account has limited access to a computer or domain but has access to any resource for which the Everyone group has permission
User Accounts:
User accounts must be unique throughout the domain
Account names aren’t case sensitive, can be from 1 to 20 characters, and can use letters, numbers, and special characters (with some exceptions)
Develop a standard naming convention (example: John Doe, j.doe)
By default, complex passwords are required; passwords are case sensitive
Defaults only require a logon name and password to create a valid user (with DSADD), but additional information should be provided to facilitate AD searches
When you use AD Users and Computers to add users, you must enter a value for the following attributes:
Full name
User logon name
User logon name (pre-Windows 2000)
Password and Confirm Password
User must change password at next logon
User cannot change password
Password never expires
Account is disabled
User Templates:
A user template is simply a user account that’s copied to create users with common attributes

Not all attributes can be copied - there are limitations Template Tips:
Create one template account for each department or OU
Disable the template account to eliminate security risks
Add an underscore or other special character to the beginning of a template account’s name to make it easy to recognize
Fill in as many common attributes as you can so that after the account is created, less customizing is necessary
Multiple Modify:
Selecting multiple users using ctrl + click or shift + click allows them all to be edited simultaneously

The following actions can be performed:
Add to a group
Disable account
Enable account
Send Mail
Properties Some account changes can be made only by right-clicking a user account or by using the action menu of AD Users and Computers
Reset a password
Rename an account
Move an account; Accounts / AD objects can be moved with one of three methods
Right-click the user and click move
Right-click the user and click cut
Drag the user from one container to another
Contains descriptive information about the account but does not affect the user’s account logon, group memberships, rights, or permissions

Display name
Same as the CN when account is first created

Can be used to send an e-mail to the user using the default mail application

Web page
Can contain a URL and allows you to open the specified URL by right-clicking the user account Account:
Contains the information that most affects a user’s logon to the domain
User logon name and User logon name (pre-Windows 2000)
Logon Hours
Log On To
Unlock account
Account options
Store password using reversible encryption
Smart card is required for interactive logon
Account is sensitive and cannot be delegated
Account expires
Used to specify the location of files that make up a user’s profile, a logon script, and the location of a home folder

Profile path
Vista or Server 2008 has the profile in the C:\Users\username directory
Windows XP uses C:\Documents and Settings\username

Logon Script
Will run a script when user logs on
Preferred to use group policy, but Windows NT and 9x can’t use group policies

Home folder
Can be a local path or a drive letter that points to a network share Member Of:
Lists groups the user belongs to
Can be used to change group memberships
Set Primary Group button is needed only when a user is logging in to a Macintosh, Unix, or Linux client computer
Terminal Services:
Settings in these tabs affect a user’s session and connection properties when connecting to a Windows Server 2008 Terminal Services server
Terminal Services Profile
Remote Control
Contact and Distribution Lists A contact is an Active Directory object that usually represents a person for informational purposes only
Most common use of a contact is for integration into Microsoft Exchange’s address book
Distribution lists are created in the same way as groups
Distribution lists are also used with Microsoft Exchange to send e-mails, but to several people at once A user profile is a collection of a user’s personal files and settings that define his or her working environment

Some key folders in a user’s profile (N/A denotes that folder doesn’t exist in Windows XP)
AppData (N/A)
Documents (My Documents)
Downloads (N/A)
Music (My Music)
Pictures (My Pictures)

A local profile is a user profile stored on the same system where the user logs on
Local profiles are created from a default profile when the user first logs on to a specific machine
Changes on one local profile will not migrate to another local profile on another machine
For consistent profiles that reflect changes made on multiple machines, use roaming profiles A roaming profile follows the user no matter which computer he or she logs on to
Profile is copied from a network share when the user logs on to a computer in the network
Creates a local copy of the roaming profile, called a profile’s cached copy
Changes made to the profile are then replicated from locally cached copy back to the profile on the network share when the user logs off

The roaming profile is created from one of two locations
The NETLOGON share
The Default profile on the local system

To customize the default roaming profile:
Create a user with a local profile
Log on to a system as the user you created
Customize your environment
Log off and log on as Administrator
Use Control Panel’s User Profiles applet to copy the user’s profile to the NETLOGON share on your domain controller in a folder named Default User.V2 Two parts to configuring roaming profiles
Configuring a shared folder to hold roaming profiles
Configuring each user account’s properties to specify the roaming profile’s location

The default or existing local profile will be copied to the roaming profile

Folder with user’s logon name and .V2 are created automatically with appropriate permissions

.V2 distinguishes a roaming profile from a pre-Vista roaming profile
Used when you don’t want users to be able to change their profile or only have the ability to make temporary changes
Commonly used in situations where a common logon is assigned for multiple users
Works like a roaming profile, but changes made to the profile will not be copied to the server
Mandatory Profiles Super Mandatory Profiles Normal mandatory profiles will allow using a temporary profile based on the default profile, should the roaming or mandatory profile be unavailable due to network issues

Super mandatory profiles prevent a user from logging on to the domain when the mandatory profile is unavailable
Profiles can become bloated

If a profile is detected to be newer on a server than the version of the profile on the machine a user is logging into, the whole profile must be copied
The reverse is also true if the profile on the local machine should prove to be more up to date

Some problems caused by roaming profiles can be reduced by folder redirection
The Cost of Roaming Profiles Conversion:
Group type can be changed from security to distribution and vice versa
Only security groups can be added to a DACL; if a security group is converted to a distribution group, the entry will remain in a DACL, but it has no effect on access to the resource
Converting group types is not commonly done

Group scope can be converted, with some restrictions
Universal to domain local, provided it’s not a member of another universal group
Universal to global, provided no universal group is a member
Global to universal, provided it’s not a member of another global group
Domain local to universal, provided no domain local group is a member Security Group:
Security groups are the main AD object administrators use to manage network resource access and grant rights to users

Can contain the same types of objects as distribution groups

If a contact is part of a security group that is assigned permissions to a resource, the contact does not make use of the permissions because a contact is not a security principal
In a single domain environment, or when users from only one domain are assigned access to a resource, use AGDLP
Accounts are made members of
Global groups, which are made members of
Domain Local groups, which are assigned
Permissions to resources
In multidomain environments where users from different domains are assigned access to a resource, use AGGUDLP
Accounts are made members of
Global groups, which when necessary are nested in other
Global groups, which are made members of
Universal groups, which are then made members of
Domain Local groups, which are assigned
Permissions to resources
Advantages of having users log on to computers that are domain members
Single sign-on
Active Directory search
Group policies
Remote management

Computer accounts are usually created when a computer is joined to a domain

Computer accounts have an associated password and must log on to the domain
This password changes every 30 days by default; can cause synchronization issues if a computer is left off for too long Command Line Most commonly used command line tools for managing accounts

Typing /? after a command will show help information and command syntax

DSADD syntax
DSADD ObjectType ObjectDN [options]
ObjectType is the type of object you want to create, such as user or group
ObjectDN is the object’s distinguished name (DN)

Components of DN
CN (Common Name)
CN (Common Name) (can be repeated if object is in a folder)
OU (Organizational Unit)
DC (Domain Component)

Command-line programs allow piping of output from one command to another, via |
Utils CSVDE and LDIFDE can bulk import or export AD data

CSVDE uses comma-separated values (CSV)

LDIFDE uses LDAP Directory Interchange Format (LDIF)

CSVDE can only create objects in AD, whereas LDIFDE can create or modify objects

Creating Users with CSVDE CSV file must have a header record listing attributes of the object to be imported


Data record example:
“cn=New User,ou=TestOU,dc=w2k8adXX,dc=com”,NewUser,NewUser@w2k8adXX.com,user

Does not set passwords, so all user accounts are disabled until you create a password for each account Creating Users with LDIFDE Same idea as CSVDE but with a different format

Dn: cn=LDF User1,ou=TestOU,dc=w2k8adXX,dc=comchangetype: addObjectClass: userSamAccountName: LDFUser1UserPrincipalName: LDFUser1@w2k8adXX.com

Common use of LDIFDE is exporting users from one domain and importing them into another domain Three categories of users in Windows: Local, domain, and built-in

User account names must be unique in a domain, aren’t case sensitive, and must be 20 or fewer characters
Complex password is required by default; naming standards should be used

User templates facilitate creating users who have some attributes in common, such as group memberships The most important user account properties are in the General, Account, Profile, Member Of, and Terminal Services tabs

A user profile contains personal files and settings that define the user’s environment

A profile stored on a network share is called a roaming profile; profiles can be made mandatory

Groups are the primary security principal used to grant rights and permissions Three group scopes in Active Directory: domain local, global, and universal

The recommended use of groups can be summarized with the acronyms AGDLP and AGGUDLP

Computers that are domain members have computer accounts in Active Directory

Computer accounts are created automatically when a computer joins a domain or manually by an administrator

Account management can be automated by command-line tools such as DSADD
A domain controller can’t be configured to run at a lower functional level than the functional level of the forest

Like forest functional levels, domain functional levels can be raised but not lowered
Windows 2000 Native: Universal groups, group nesting, group conversion, Security identifier (SID) history
Windows Server 2003: All features of Windows 2000 native, domain controller renaming, logon timestamp replication, selective authentication, Users and Computers container redirection
Windows Server 2008: All features of Windows 2003, Distributed File System replication, fine-grained password policies, interactive logon information, Advanced Encryption Standard (AES) support Raising the Domain Functional Level

All domain controllers must be running a Windows OS compatible with the desired functional level
Functional level can be raised in Active Directory Domains and Trusts
Only one domain controller needs to be raised to the new functional level; the rest will reflect the change automatically
Once the functional level is raised, it cannot be reversed Raising the Forest Functional Level
You must be a member of the Domain Admins or Enterprise Admins groups to raise the forest functional level
If raising both domain and forest functional levels, domain functional must be raised first
Domain functional levels must be equal or greater than forest functional levels
Once functional level is raised, it cannot be lowered ADPrep The Adprep command-line program prepares an existing forest or domain for the addition of a Windows Server 2008 domain controller

To prepare the forest, run the adprep /forestprep command on a Windows Server 2003 or Windows 2000 domain controller acting as the schema master

Then run adprep /domainprep in each domain where you plan to add a Windows Server 2008 DC; Windows 2000 requires adprep /domainprep /gpprep Read-Only Domain Controller A read-only domain controller (RODC) is a new in Windows Server 2008.

With an RODC, organizations can easily deploy a domain controller in locations where physical security cannot be guaranteed.

An RODC hosts read-only partitions of the Active Directory® Domain Services (AD DS) database.

Branch offices often cannot provide the adequate physical security that is required for a writable domain controller.

Furthermore, branch offices often have poor network bandwidth when they are connected to a hub site. This can increase the amount of time that is required to log on. Before you can install an RODC in an existing domain that isn’t running all Windows Server 2008 DCs, follow these steps:
Verify the functional level is Windows Server 2003 or higher
Prepare the forest
Install at least one writeable DC running Windows Server 2008
Install an RODC on a full Windows Server 2008 installation or a Server Core installation
Removal of Services Domain Controller Be aware of some potential issues
If the DC performs any operations master roles, you must first transfer the role to another DC
If the DC is a global catalog server, make sure at least one other DC is a global catalog server
If it’s the only DC in the domain, you’ll also remove the domain

Dcpromo is used to remove domain services

If the server wasn’t the last DC, it will remain a member of the domain
Domain Two ways to remove a domain

If the DC crashed or was taken offline without using dcpromo to demote it to a regular server, you must use Ntdsutil to remove the domain
This process is called removing an orphaned domain

A metadata cleanup will remove all selected domain data from the rest of the forest
ADMT The Active Directory Migration Tool (ADMT) allows moving objects and restructuring Active Directory without users losing access to network resources and has three main types of migration
Intraforest migration
Interforest migration
Migration of an NT 4.0 domain to an Active Directory domain

Before attempting migration, you should review the Active Directory Migration guide

Terms used for migration planning and implementation
SID History
Security Translation
Password Export Server (PES)
DNS must be configured correctly in both forest root domains

You must initiate the forest trust in Active Directory Domains and Trusts from the forest root domain

When creating a forest trust, you must specify the type of authentication you wish to use
Forest-wide authentication is a property of a forest trust in which all users in a trusted forest can be authenticated to the trusting forest
Selective authentication enables administrators to specify users who can authenticate to selected resources in the trusting forest
Trust Properties The Properties dialog box of a forest trust contains three tabs

The General tab:
The other domain supports Kerberos AES Encryption
Direction of trust
Transitivity of trust
Save As

The Name Suffix Routing tab:
Allows you to control which name suffixes used by the trusted forest are routed for authentication

Authentication tab:
Same options as the Outgoing Trust Authentication Level window SID Filtering sIDHistory attribute can be used for nefarious purposes to gain administrative privileges in a trusting forest

To counter the security risk, Windows provides a feature called SID filtering

SID filtering causes the trusting domain to ignore any SIDs that aren’t from the trusted domain

SID filtering is enabled by default on external trusts but is disabled on forest trusts

KCC is a process that runs on every DC and, for intrasite replication, builds a replication topology among DCs in a site and establishes replication partners
The KCC on each domain controller uses data stored in the forest-wide configuration directory partition to create the replication topology
The replication topology can be recalculated manually in Active Directory Sites and Services Connection Objects Knowledge Consistency Checker Connection objects define the connection parameters between two replication partners

Changes to intrasite connection objects are usually unnecessary, but changes can be made in Active Directory Sites and Services

General tab in the Properties dialog box is the only one of interest for connection objects and contains the following fields:
Change Schedule
Replicate from Server
Replicate from Site
Replicated Naming Context(s)
Partially Replicated Naming Context(s)

You can create connection objects for intrasite replication if you want to alter the replication topology manually

By default, the schedule for a new connection object is set to every 15 minutes, but this value can be changed

Changing the schedule for connection objects can be useful for troubleshooting replication problems
Replication Status Active Directory Sites and Services can be used to force the KCC to check the replication topology

Repadmin.exe is a tool that will show detailed information about connections and replication status
To use, type repadmin /showrepl

Repadmin can also be used to show the partitions being replicated by each connection object, force replication to occur, force the KCC to recalculate the topology, and other actions
Global Catalog contains a partial replica of all objects in the forest, maintains universal group memberships, provides cross-domain logon support, and is used to locate objects throughout the forest

Global catalog servers keep inbound connections with a DC in each domain the global catalog is built from

Connections between global catalog servers always include replication of the global catalog partition Special Replications Certain changes require special processing
Urgent replication events (trigger change notifications immediately)
Account lockouts
Changes to the account lockout policy
Changes to the domain password policy
Changes to non-security principal passwords
Password change to a DC computer account
Changes to the RID master DC
User Account password changes
Replication An RODC is treated like any other domain controller when considering replication topology

Limitations to keep in mind
Connection between an RODC and a writeable DC is a one-way connection
Two RODCs can replicate with one another, as long as one has an incoming connection with a writeable DC
The domain directory partition can be replicated only to an RODC from a Windows Server 2008 DC; Windows Server 2003 DCs can replicate other partitions to an RODC
When upgrading a domain from Windows Server 2003, the first Windows Server 2008 DC must be writeable
Significance of Subnets After creating a site, you must associate one or more subnets with it

Each site is associated with one or more IP subnets, and a subnet can only be associated with a single site

AD uses this information in two important ways
Placing new domain controllers in the appropriate site
Determining which site a client computer belongs to

If a client’s IP address doesn’t match a subnet in any of the defined sites, communication efficiency could degrade because the client might request services from servers in remote sites instead of locally Bridgehead Servers
Intersite replication occurs between bridgehead servers
Bridgehead servers are responsible for all intersite replication
Bridgehead servers can be designated manually
Repadmin /bridgeheads command can list which DCs in a site are acting as bridgehead servers to other sites
One DC is designated as the Inter-Site topology Generator (ISTG), which then designates a bridgehead server to handle replication for each directory partition Two protocols can be used to replicate between sites

IP is used by default in the DEFAULTIPSITELINK site link and is recommended in most cases
Simple Mail Transport Protocol is used primarily for e-mail and works well for slower, less reliable, or intermittent connections
DC can send multiple replication requests simultaneously without waiting for the reply Site Link Bridges By default, site link bridging is enabled, which makes site links transitive

You can change the transitive behavior of site links by turning off site link bridging and creating site link bridges manually

Automatic site bridging can lead to over-utilization of a slower WAN link

Other reasons to create site link bridges manually:
Control traffic through firewalls
Accommodate partially routed network
Reduce confusion of the KCC
Universal Group Membership Caching
Global catalog servers increase replication traffic
Windows Server 2008 includes universal group membership caching, which allows universal group membership information to be retrieved from a global catalog server in a different site and then cached locally on every DC in the site and updated every 8 hours
Microsoft recommends placing a global catalog server in the site when the number of accounts exceeds 500 and the number of DCs exceeds two
FSMO Roles If you build a new forest, the first DC installed performs all five FSMO roles
This is acceptable for small environments, but larger environments may perform better if these roles are transferred to separate servers
Common rules for operations masters
Unless your domain is small, transfer operations master roles to other DCs
Place the servers performing these roles where network availability is high
Designate an alternate DC for all roles
Domain Naming Master The domain naming master is needed when a domain or domain controller is added or removed from the forest
Attempting to add or remove a domain while the DC performing this role is down is not advisable
When possible, the domain naming master should be a direct replication partner with another DC that’s also a global catalog server in the same site
Schema Master The schema master is needed when the Active Directory schema is changed
Generally, the schema master role should be transferred to another server only when you’re certain the original server will be down permanently PDC Emulator Processes password changes for older Windows clients (Windows 9x and NT)
Should be placed where there is a high concentration of users
Shouldn’t be placed on a DC that is also a global catalog server
RID Master Every Active Directory object uses an RID to create the object’s SID
RID Master provides these RIDs to domain controllers
Ideally placed with the PDC emulator because the PDC emulator uses the RID master’s services frequently Infrastructure Master Role is most needed when many objects have been moved or renamed
Shouldn’t be performed by a DC that’s also a global catalog server but should be at least in the same site as a global catalog server
If the Master fails, the role can be moved to another DC if necessary
Seizing Operations Master Roles An operations master role is seized when the current role holder is no longer online because of some type of failure
Seizing should never be done when the current role holder is accessible
Seizing is done with the ntdsutil command Before you can install a Windows Server 2008 server as a DC in an existing Windows Server 2003 or Windows 2000 server domain, existing domain controllers must be prepared

Before you can install RODC in an existing domain, the forest functional level must be at least Windows Server 2003 or higher

To remove a domain controller, you use dcpromo or ntdsutil

Use the Active Directory Migration Tool to migrate accounts from one domain or forest to another Before creating a trust of any type, DNS must be configured so that FQDNs of domain controllers in all participating domains can be resolved

Some trust properties you can configure include the trust direction and transitivity, name suffix routing, and authentication

Both intrasite and intersite replication use the same basic processes to replicate Active Directory data; the main goal is to balance data replication timeliness and efficiency A site is an Active Directory object containing domain controllers and default settings for replication within the site and is usually associated with one or more IP subnets and site links

Connection objects provide the connection and replication parameters between two servers

Bridgehead servers are responsible for all intersite replication

Universal group membership caching resolves the potential conflict between faster logons and additional replication traffic

Deciding where to place the FSMO role holder is part of your overall Active Directory design strategy
Full transcript