Transcript Active Directory Nanda Ganesan, Ph.D. © N. Ganesan, Ph.D. , All rights reserved.

Active Directory
Nanda Ganesan, Ph.D.
© N. Ganesan, Ph.D. , All rights reserved.
Objective
• Outline the step-by-step installation
and configuration of Active Directory
References
• www.microsoft.com
• www.windowsitpro.com
• www.visualwin.com
• http://www.microsoft.com/technet/prodtechnol/w
indowsserver2003/library/DepKit/d2ff1315-171248e4-acdc-8cae1b593eb1.mspx
• http://en.wikipedia.org/wiki/Active%5FDirectory
• http://www.microsoft.com/technet/prodtech
nol/windowsserver2003/technologies/director
y/activedirectory/stepbystep/domcntrl.mspx
#EFAA
Active Directory
• A directory service for the efficient
management of users, resources and
privileges that is based on standard
protocols
Active Directory
• An efficient directory management
service for users, resources and
privileges that is based on standard
Internet protocols
Active Directory Structure
• Domains
• Domain Trees
• Domain Forests
Active Directory Objects
• An object is a distinct named set of
attributes that represents a network
resource. Typical objects are users,
groups, computers and printers. Each
object has a number of attributes. For
example, the user object has attributes
such as password, name, password
length and e-mail address.
Active Directory Groups
• Objects are typically grouped into
classes, such as groups (a number of
user accounts), computers and printers.
When objects are grouped together,
they are placed into a container that
holds the objects (its like a desk draw
that holds a number of objects).
AD Purpose
• Keep a central list of users and passwords
• Provide a set of servers to act as
“authentication servers” known as a
Domain Controller
• Maintain a searchable index of the things
in the domain
• Allow you to create users with different
levers of powers
Some AD Uses
• Multiple selection of user objects
• Drag and Drop functionality
• Efficient search capabilities
• Saved Queries
Requirements
• The computer must be Windows 2k, 2k3 Server,
Advanced Server or Datacenter Server.
• At least one volume on the computer must be
formatted with NTFS.
• DNS must be active on the network prior to AD
installation or be installed during AD installation.
• DNS must support SRV records and be dynamic.
• The computer must have IP protocol installed and
have a static IP address.
• The Kerberos v5 authentication protocol must be
installed.
• Time and zone information must be correct
Installation Initiation
• From start menu run DCPROMO
Installing an DNS
• DNS is required for AD to function
– Client use DNS to locate ad controllers
– Servers and client computers register their
names and IP addresses with DNS for IP
resolution
Accessing AD Tools
• From start menu choose administrative
tools and then AD tools
Creating a Child Domain
• Requirements
– Existing domain
– Member server
Active Directory Correction
• Locate and ensure that the domain
controller is present to create a child
domain
Group Policy
• Defines the various components of the
users desktop environment that an
administrator must manage
• Applies not only to user and client
computers but also to member servers,
domain controllers, and other 2003
server in scope of management
Groups Policy Continued
• Manage registry-based policy with
Administrative Templates
• Assign scripts. This includes scripts such
as computer startup, shutdown, logon,
and logoff
• redirect folders, such as My Documents
and My Pictures, from the Documents and
Settings folder on the local computer to
network locations
Active Directory Users and
Computers
• AD users and computers
• AD users and computers are different
from local users and computers
AD Users and Computers
Joining a Domain
• Computers may have to join a domain
to be able to access the resources
Auditing Active Directory
• There are numerous options to configure auditing of
usage
• It allows you to target specific activities, instead of
taking a wider sweep of all activity on a computer.
• with a narrower scope of what you are auditing, will
result in smaller logs which make reviewing the
logged information more efficient.
• Finally, reducing the auditing options to just what you
need will reduce the load on the computer, allowing
it to provide more resources to other activities.
Auditable Features
• Account logon and logon events
• Object access
• Account management
• Directory service access
• Policy change
• System events
• Process tracking
• Privilege
Auditing Logon and Logon
Events
• It keeps track of who tried to log on to
what server
• This will audit each time a user is logging
on or off from another computer in which
the computer performing the auditing is
used to validate the account.
• Example
• Windows XP logon to DC
Auditing Object Access
• This security setting determines
whether to audit the event of a user
accessing an object
• Example, a file, folder, registry key,
printer, and so forth--that has its own
system access control list (SACL)
specified
Auditing Account Management
• Any changes to user or group accounts
get logged here
• Examples:
–
–
–
–
Create a user
Create a group
Modify a group’s membership
Change a password
Auditing Privilege Use
• Determines whether to audit each instance
of a user exercising a user right
• Too many outputs for every right
exercised
• Be prepared for larger logs files
• Examples:
– Logging on
– Shutting down
– Changing the system time
Auditing System Events
• Determines whether to audit when a user
restarts or shuts down the computer or an
event has occurred that affects either the
system security or the security log
• Not many entries
• Logs whenever machine is restarted/shut
down
– Example: When you clear the security log or
resize it
Auditing Directory Service
Access
• This will audit each event that is related to a
user accessing an Active Directory object
which has been configured to track user
access through the System Access Control
List (SACL) of the object
Auditing Process Tracking
• Mostly used by programmers
• Tracks activity between program and
the Operating systems
THE END