Active Directory Windows2003 Server
Download
Report
Transcript Active Directory Windows2003 Server
Active Directory
Windows2003 Server
Agenda
What is Active Directory
Building an Active Directory
Using Active Directory Features
Active Directory Objects
Auditing Active Directory
Group Names
Charles Guzman
Daniel Gebretensai
Ervand Akopyan
Hovik Gharadaghi
Active Directory
What is Active Directory
•Efficient Directory Management service
•Based on Standard Internet Protocols
•Helps to Clearly Define a Network’s structure
Requirements
The computer must be Windows 2k, 2k3 Server, Advanced
Server or Datacenter Server.
At least one volume on the computer must be formatted with
NTFS.
DNS must be active on the network prior to AD installation or
be installed during AD installation.
DNS must support SRV records and be dynamic.
The computer must have IP protocol installed and have a static
IP address.
The Kerberos v5 authentication protocol must be installed.
Time and zone information must be correct.
Installation Of Active
Directory
DCPROMO
Why Install DNS?
Clients
use DNS to locate Active
Directory controllers.
Servers and client computers register their
names and IP addresses with the DNS
server.
Active Directory
Domains
Domain Trees
– Group of computers
–Share contiguous
Namespace
Domain Forests – Share common directory
information
Organizational Units
– Subgroup of Domains
that mirror an
organization
Logical View
Child, Tree, Forest
ganesan.cool
Tree
Child Domains
484.ganesan.cool
ervand.484.ganesan.cool
Sub domains
485.ganesan.cool
charles.484.ganesan.cool
hovik.485.ganesan.cool
othername.cool
Sub domains
daniel.485.ganesan.cool
Logical View
Child, Tree, Forest
ganesan.cool
Tree
Child Domains
484.ganesan.cool
ervand.484.ganesan.cool
Sub domains
485.ganesan.cool
charles.484.ganesan.cool
hovik.485.ganesan.cool
Sub domains
daniel.485.ganesan.cool
Forest
othername.cool
Tree
Child Domains
484.othername.cool
e rvand.484.othe rname .cool
Sub domains
485.othername.cool
charles.484.othername.cool
hovik.485.othername.cool
Sub domains
danie l.485.othe rname .cool
Active Directory
Domains
Domain Trees
– Group of computers
–Share contiguous
Namespace
Domain Forests – Share common directory
information
Organizational Units
– Subgroup of Domains
that mirror an
organization
Creating a Child Domain
Requirements
Existing Domain
Member Server
Logical View
Child, Tree, Forest
ganesan.cool
Tree
Child Domains
484.ganesan.cool
ervand.484.ganesan.cool
Sub domains
485.ganesan.cool
charels.484.ganesan.cool
hovik.485.ganesan.cool
Sub domains
daniel.485.ganesan.cool
Forest
othername.cool
Tree
Child Domains
484.othername.cool
e rvand.484.othe rname .cool
Sub domains
485.othername.cool
charles.484.othername.cool
hovik.485.othername.cool
Sub domains
danie l.485.othe rname .cool
What does Active Directory
do for us
Keep a central list of users and passwords
Provide a set of servers to act as “authentication
servers” known as a Domain Controller
Maintain a searchable index of the things in the domain
Allow you to create users with different levers of
powers
USING ACTIVE DIRECTORY
FEATURES
Directory service back up reminders
Added replication security and fewer errors
Install from Media Improvement for
Installing DNS servers
Support for running domain controllers in
virtual machines
Extended storage of deleted objects
New AD Features in Windows 2003
Multiple
selection of user objects
Drag and Drop functionality
Efficient search capabilites
Saved Queries
New Domain and Forest Wide AD
Features
Domain control rename tool
Different location option for user and
computer accounts
Forest trusts
Replication enhancements
User access control to resources between
domains and forests
Group Policy Feature
Defines the various components of the users
desktop environment that an administrator must
manage
Applies not only to user and client computers
but also to member servers, domain controllers,
and other 2003 server in scope of management
Group Policy cont’d
Manage registry-based policy with
Administrative Templates
Assign scripts. This includes scripts such as
computer startup, shutdown, logon, and logoff
redirect folders, such as My Documents and My
Pictures, from the Documents and Settings
folder on the local computer to network
locations
GP Screenshots
Configuring a custom console
GP Screenshots
Adding a group policy object link
ADDING AND REMOVING OBJECTS
Active Directory Objects
Active Directory Objects
Objects
An object is a distinct named set of attributes that represents a network resource.
Typical objects are users, groups, computers and printers. Each object has a
number of attributes. For example, the user object has attributes such as password,
name, password length and e-mail address.
Objects are typically grouped into classes, such as groups (a number of user
accounts), computers and printers. When objects are grouped together, they are
placed into a container that holds the objects (its like a desk draw that holds a
number of objects).
If you try to add AD users using lusrmgr.msc you will receive the following error
How to join a Domain Network
Watching The
Network
Auditing with Active Directory
Situation
Something went wrong and the Boss asks:
“What kind of network activity have we
had recently?
There are numerous options for you to choose
from to set out to configure auditing for
computers.
This helps in many ways
It allows you to target specific activities, instead of
taking a wider sweep of all activity on a computer.
with a narrower scope of what you are auditing, will
result in smaller logs which make reviewing the logged
information more efficient.
Finally, reducing the auditing options to just what you
need will reduce the load on the computer, allowing it
to provide more resources to other activities.
What you can Audit ?
Windows 2000 and every subsequent version of NT supports Audits
Audit account logon and logon events
Audit object access
Audit account management
Audit directory service access
Audit policy change
Audit system events
Audit process tracking
Audit privilege
Account logon and
Logon Events
It keeps track of who tried to log on to what server
This will audit each time a user is logging on or off
from another computer in which the computer
performing the auditing is used to validate the
account.
Example
Windows
XP logon to DC
Audit Object Access
This security setting determines whether to
audit the event of a user accessing an object
Example, a file, folder, registry key, printer, and so
forth--that has its own system access control list
(SACL) specified
Audit Account Management
Any changes to user or group accounts get logged here
Examples:
Create a user
Create a group
Modify a group’s membership
Change a password
Audit Privilege Use
Determines whether to audit each instance of a
user exercising a user right
Too many outputs for every right exercised
Be prepared for larger logs files
Examples:
Logging on
Shutting down
Changing the system time
Audit System Events
Determines whether to audit when a user restarts
or shuts down the computer or an event has
occurred that affects either the system security or
the security log
Not many entries
Logs whenever machine is restarted/shut down
Example:
when you clear the security log or resize it
Directory Service
Access
This will audit each event that is related to a
user accessing an Active Directory object
which has been configured to track user
access through the System Access Control List
(SACL) of the object
Audit Process
Tracking
Mostly used by programmers
Tracks activity between program and the Operating
systems
The list of auditing options
Success or Failure Auditing?
Each of these options provide two configuration
settings:
Success and/or Failure.
These options are essential to help you track the
required information that is generated from a user
performing a task
Tasks are typically related to one of the following
Permissions configured on the Access Control List of a
resource
User Rights configured for a specific computer
Administrative privileges, typically granted through group
membership
References
www.microsoft.com
www.windowsitpro.com
www.visualwin.com
http://www.microsoft.com/technet/prodtechnol/windowsserve
r2003/library/DepKit/d2ff1315-1712-48e4-acdc8cae1b593eb1.mspx
http://en.wikipedia.org/wiki/Active%5FDirectory
http://www.microsoft.com/technet/prodtechnol/wind
owsserver2003/technologies/directory/activedirectory
/stepbystep/domcntrl.mspx#EFAA