Understanding Active Directory Heng Sovannarith heng_sovannarith@yahoo.com
Active Directory Active Directory is a directory service and hierarchical data store that holds information about objects on your network and make it easy for administrator to manage and search for these objects. Internal Object of Active Directory is store on a tree. The Active Directory framework that holds the objects can be viewed at a number of levels. The forest, tree, and domain are the logical divisions in an Active Directory network. Active Directory cannot exist without a functioning DNS service.
Active Directory (cont.) A tree is a collection of one or more domains and domain trees in a contiguous namespace, linked in a transitive trust hierarchy. At the top of the structure is the forest. A forest is a collection of trees that share a common global catalog, directory schema, logical structure, and directory configuration.
Active Directory (cont.)
Trusts In Active Directory, when two domains trust each other or a trust relationship exists between the domains, the users and computers in one domain can access resources residing in the other domain.
Trusts (cont.) Domains in a domain tree are joined using two-way transitive trusts. These trusts enable each domain in the tree to trust the authority of every other domain in the tree for user authentication. This means that when a domain joins a domain tree, it automatically trusts every domain in the tree.
Trusts (cont.) To allow users in one domain to access resources in another, Active Directory uses trusts. One-way trust: One domain allows access to users on another domain, but the other domain does not allow access to users on the first domain. Two-way trust: Two domains allow access to users on both domains. Trusting domain: The domain that allows access to users from a trusted domain. Trusted domain: The domain that is trusted; whose users have access to the trusting domain. Transitive trusts: With transitive trusts, trust is applicable for each trusted domain. What this means is where Domain1 trusts Domain2, and Domain2 trusts Domain3, Domain1 would also trust Domain3. Non-transitive trust: The defined trust relationship ends with the two domains between which the particular trust is created.
Trusts (cont.)
Organization Units The objects held within a domain can be grouped into Organizational Units (OUs). An organizational unit (OU) is a container that logically organizes and groups Active Directory objects within domains. OUs are not part of the DNS namespace. OUs therefore serve as containers in which users can create and manage Active Directory objects. OUs are considered the smallest unit to which an Administrator can assign permissions to resources within Active Directory. We can organization unit based on geographical, department or others millions ways.
Organization Units (cont.) Group Policy settings can also be applied to OUs The Active Directory object types that can be located in OUs are listed below: User, group, and computer objects; shared folders, printers, applications, and other OUs from the same domain.
Organization Units (cont.)
Organization Units (cont.)
Users, Groups and Computers User objects are the main security principals used in Active Directory. A user object consists of the user name, password, group membership details, and other information that define the user. A group is a collection of user and computer accounts, contacts and other groups. A group object prevents Administrators from setting individual user permissions. A set of users can be grouped then assigned the appropriate permission to Active Directory objects. A computer object contains information on a computer that is a member of the domain. Usually, the computer which join the domain has automatically computer account in AD.
The differences between OUs and groups OU s keep your objects organized and are used to control what users and computers can do and cannot do. Group are Active Directory Objects that allow you to provide and deny access to resources like printers and folders etc. Group live in OU. The basic differences between OUs and groups is that groups can be used when applying security to objects, whereas OUs exist when certain administrative functionality needs to be delegated.
Exercise Design the Active Directory for the Royal University of Phnom Penh 20 Minute Only!
Active Directory Installation Please read other file which I have given to you.
Managing Organizational Units To create an organizational unit Go to Server Manager Right click on an domain or an organizational unit which you want to create it in -> New -> Organizational Unit
Managing Organizational Units (cont.)
Managing Organizational Units (cont.) Command Line Create New OU dsadd ou <OrganizationalUnitDN> Example: dsadd OU "OU=SiemReap,DC=rith,DC=local - For help on dsadd dsadd ou /? - Remove OU dsrm <OrganizationalUnitDN> Example: dsrm "OU=SiemReap,DC=rith,DC=local
Managing Group To create an organizational unit Go to Server Manager Right click on an organizational unit or group which you want to create it in -> New -> Group
Managing Group (cont.)
Managing Group (cont.) Command Line Create a New Group dsadd group <GroupDN> -samid<samname> - secgrp {yes no} -scope {l g u} Where <GroupDN> is the distinguished name of the group, <SAMName> is the unique SAM account name for the group, {yes no} specifies whether it s a security group, and {l g u} define the scope (l = domain local, g = global, and u = universal). Once created you can modify group membership and other properties by right-clicking on it in Active Directory Users and Computers. Example: dsadd group "cn=it Users, ou=phnom Penh, dc=rith, dc=local"
Managing Group (cont.) Remove a group dsrm <GroupDN> - Example: dsrm cn=it Users, ou=phnom Penh, dc=rith, dc=local
Managing User
Managing User (cont.)
Managing User (cont.)
Managing User (cont.) The password need to meet the default complexity requirement. Password must be 8 characters long and combine characters, number and symbol. Moreover, it should not have the same as username. Example: moon@123#$%
Managing User (cont.) Command Line dsadd user "cn=rith, ou=it, ou=library, dc=rith, dc=local" -fn Miguel -ln Heng -pwd rith@123%#$ -mustchpwd yes Or dsadd user "cn=rith, ou=it, ou=library, dc=rith, dc=local" -fn Miguel -ln Heng -pwd rith@123%#$ - mustchpwd yes memberof cn=it Users, ou=phnom Penh, dc=rith, dc=local
Managing User (cont.) Disable user account dsmod user <UserDN> -disabled {yes no} Example: dsmod "cn=rith, ou=it, ou=library, dc=rith, dc=local -disabled yes Remove user account dsrm <ObjectDN> dsrm "cn=rith, ou=it, ou=library, dc=rith, dc=local -disabled yes
Add a user to a group
Add a user to a group Type the group and then Check Names Or click on Advanced if you are not sure about the group name. Then ok to finish
Joining a Domain
Log In