Transcript Active Directory Windows2003 Server

Active Directory
Nanda Ganesan, Ph.D.
© N. Ganesan, Ph.D. , All rights reserved.
References
• Technical overview of Windows 2003
Active Directory
• Introduction to Windows 2003 Active
Directory in application mode
• Windows 2003 Reviewer’s Guide
Agenda
• What is Active Directory
• Building an Active Directory
• Using Active Directory Features
• Active Directory Objects
• Auditing Active Directory
Group Names
• Contributions made by
–
–
–
–
Charles Guzman
Daniel Gebretensai
Ervand Akopyan
Hovik Gharadaghi
Introduction to Active Directory
Overview of Active Directory
• Directory services of the Windows server
system
• Stores information about network object and
makes the information available to
administrators, users, and applications
• Provides a single point of network
management allowing people to add, remove,
and relocate users and resources easily
• Integrated with Internet’s hierarchical
domain naming system
Active Directory Properties
• Integration with DNS
• Flexible querying
• Information security
• Simplified administration
• Scalability
Object and Schema
• Objects are the basic entities that
constitute the Active Directory
– Each object will have it own globally
unique identifier (GUID)
• Schema
– Describes the object classes
– Defines the attributes for the object classes
Structural Components
• Objects based hierarchical structure
with constructs
–
–
–
–
–
–
Domains
Trees
Forests
Trust relationships
Organizational Units
Sites
A Simple Active Directory
Structure
Active Directory and DNS
Integration
Tree
Parent and child domains in a domain tree. Double-headed arrows indicate
two-way transitive trust relationships
Forests
One forest with three domain trees. The three root
domains are not contiguous with each other, but
EuropeRoot.com and AsiaRoot.com are child
domains of HQ-Root.com.
Internal Trusts in a Forest
Shortcut trusts between Domains B and D, and between
Domains D and 2
Trust Relationships
• Transitive
• Two-way
• Shortcut trusts
• External trusts
Trust Relationships
Organizational Units
Intra-site replication with just one domain .
Trust Relationships
Intra-site replication with two domains and two
global catalogs
Directory Protocols
• Based on standard directory protocols
• Interoperate with other protocols
• Example: LDAP
– LDAP it is used to add, modify, delete and query
information stored in AD
– LDAP to AD is like SQL to Oracle
– LDAP determines how a client can access the
directory, operations within the directory and
share directory data
Active Directory Security
• Based on Kerberos
• Supports multiple security configurations for
cross platform interoperability
– Clients: A domain controller will authenticate
clients running RFC-1510 Kerberos. This will
include other clients running other operating
systems.
– Unix clients and services: A Kerberos principal is
mapped to a Windows 2000 user or computer
account
Installation Of Active Directory
Requirements
• The computer must be Windows 2k, 2k3 Server,
Advanced Server or Datacenter Server.
• At least one volume on the computer must be
formatted with NTFS.
• DNS must be active on the network prior to AD
installation or be installed during AD installation.
• DNS must support SRV records and be dynamic.
• The computer must have IP protocol installed and
have a static IP address.
• The Kerberos v5 authentication protocol must be
installed.
• Time and zone information must be correct.
DCPROMO
Role of DNS
•Clients use DNS to locate Active
Directory controllers.
•Servers and client computers register their
names and IP addresses with the DNS
server
Managing Active Directory
Creating a Child Domain
Requirements
• Existing Domain
• Member Server
Managing Objects in Active
Directory
Frequently Managed Objects
• Users
• Computers
• Groups
Managing Users
Managing Computers
A Client Joining a Domain
Managing Groups
Group Policy Feature
• Defines the various components of the
users desktop environment that an
administrator must manage
• Applies not only to user and client
computers but also to member servers,
domain controllers, and other 2003
server in scope of management
Group Policy cont’d
• Manage registry-based policy with
Administrative Templates
• Assign scripts. This includes scripts
such as computer startup, shutdown,
logon, and logoff
• redirect folders, such as My Documents
and My Pictures, from the Documents
and Settings folder on the local
computer to network locations
Configuring a Custom Console
Adding a Group Policy Object
Auditing
Auditing
• Audit related functional activities
Some Auditable Activities
•
•
•
•
•
•
•
Account logon and logon events
Object access
Account management
Directory service access
Policy change
System events
Process tracking
• Privilege
Some Auditing Function
• Logon/Logout
• User access to resources
– File, folder, registry key, printer etc.
• Account management
– Create users and groups, modify membership,
change password etc.
• Systems events
– Service start/stop
• Directory service access
– User’ access to Active Directory objects
The list of auditing options
References
• www.microsoft.com
• www.windowsitpro.com
• www.visualwin.com
• http://www.microsoft.com/technet/prodtechnol/w
indowsserver2003/library/DepKit/d2ff1315-171248e4-acdc-8cae1b593eb1.mspx
• http://en.wikipedia.org/wiki/Active%5FDirectory
• http://www.microsoft.com/technet/prodtec
hnol/windowsserver2003/technologies/dire
ctory/activedirectory/stepbystep/domcntrl.
mspx#EFAA
The End