Active Directory

Nanda Ganesan, Ph.D.

N. Ganesan, Ph.D. , All rights reserved.

References
Technical overview of Windows 2003 Active Directory Introduction to Windows 2003 Active Directory in application mode Windows 2003 Reviewers Guide

Agenda
What is Active Directory Building an Active Directory Using Active Directory Features Active Directory Objects Auditing Active Directory

Group Names
Contributions made by
Charles Guzman Daniel Gebretensai Ervand Akopyan Hovik Gharadaghi

Introduction to Active Directory

Overview of Active Directory

Directory services of the Windows server system Stores information about network object and makes the information available to administrators, users, and applications Provides a single point of network management allowing people to add, remove, and relocate users and resources easily Integrated with Internets hierarchical domain naming system

Active Directory Properties

Integration with DNS Flexible querying Information security Simplified administration Scalability

Object and Schema

Objects are the basic entities that constitute the Active Directory
Each object will have it own globally unique identifier (GUID)

Schema
Describes the object classes Defines the attributes for the object classes

Structural Components
Objects based hierarchical structure with constructs
Domains Trees Forests Trust relationships Organizational Units Sites

A Simple Active Directory Structure

Active Directory and DNS Integration

Tree

Parent and child domains in a domain tree. Double-headed arrows indicate two-way transitive trust relationships

Forests

One forest with three domain trees. The three root domains are not contiguous with each other, but EuropeRoot.com and AsiaRoot.com are child domains of HQ-Root.com.

Internal Trusts in a Forest

Shortcut trusts between Domains B and D, and between Domains D and 2

Trust Relationships
Transitive Two-way Shortcut trusts External trusts

Trust Relationships

Organizational Units

Intra-site replication with just one domain .

Trust Relationships

Intra-site replication with two domains and two global catalogs

Directory Protocols
Based on standard directory protocols Interoperate with other protocols Example: LDAP
LDAP it is used to add, modify, delete and query information stored in AD LDAP to AD is like SQL to Oracle LDAP determines how a client can access the directory, operations within the directory and share directory data

Active Directory Security

Based on Kerberos Supports multiple security configurations for cross platform interoperability
Clients: A domain controller will authenticate clients running RFC-1510 Kerberos. This will include other clients running other operating systems. Unix clients and services: A Kerberos principal is mapped to a Windows 2000 user or computer account

Installation Of Active Directory

Requirements
The computer must be Windows 2k, 2k3 Server, Advanced Server or Datacenter Server. At least one volume on the computer must be formatted with NTFS. DNS must be active on the network prior to AD installation or be installed during AD installation. DNS must support SRV records and be dynamic. The computer must have IP protocol installed and have a static IP address. The Kerberos v5 authentication protocol must be installed. Time and zone information must be correct.

DCPROMO

Role of DNS
Clients use DNS to locate Active Directory controllers. Servers and client computers register their names and IP addresses with the DNS server

Managing Active Directory

Creating a Child Domain

Requirements
Existing Domain Member Server

Managing Objects in Active Directory

Frequently Managed Objects

Users Computers Groups

Managing Users

Managing Computers

A Client Joining a Domain

Managing Groups

Group Policy Feature

Defines the various components of the users desktop environment that an administrator must manage Applies not only to user and client computers but also to member servers, domain controllers, and other 2003 server in scope of management

Group Policy contd

Manage registry-based policy with Administrative Templates Assign scripts. This includes scripts such as computer startup, shutdown, logon, and logoff redirect folders, such as My Documents and My Pictures, from the Documents and Settings folder on the local computer to network locations

Configuring a Custom Console

Adding a Group Policy Object

Auditing

Auditing
Audit related functional activities

Some Auditable Activities

Account logon and logon events Object access Account management Directory service access Policy change System events Process tracking

Privilege

Some Auditing Function

Logon/Logout User access to resources Account management Systems events

File, folder, registry key, printer etc. Create users and groups, modify membership, change password etc.

Service start/stop
User access to Active Directory objects

Directory service access

The list of auditing options

References
www.microsoft.com www.windowsitpro.com www.visualwin.com
http://www.microsoft.com/technet/prodtechnol/w indowsserver2003/library/DepKit/d2ff1315-171248e4-acdc-8cae1b593eb1.mspx http://en.wikipedia.org/wiki/Active%5FDirectory

http://www.microsoft.com/technet/prodtec hnol/windowsserver2003/technologies/dire ctory/activedirectory/stepbystep/domcntrl. mspx#EFAA

The End