WINDOWS 2000 Active TE Directory Services WINDOWS 2000 Training Division, NIC
Active Directory Stores information about objects on the network and makes this information easy for administrators and users to find and use. Active Directory directory service uses a structured data store as the basis for a logical, hierarchical organization of directory information.
Active Directory Service Directory Service Functionality Centrally Organizing, Managing and controlling Resources. Users can access any resource without knowing where the resource is or how it is physically connected. Centralized Management Of Resouces Easy for Network Administrators to manage the resources in their network. Users need to log on once for accessing resources.
Active Directory What Is Active Directory? Windows Users Account info Privileges Profiles Policy Other Directories E-Commerce Active Directory Other NOS User registry Security Policy E-Mail Servers Mailbox info Address book Windows Clients Mgmt profile Network info Policy Management Focal Point For: Users and resources Security Delegation Policy Applications Server config Single Sign-On App-specific directory info Policy Windows Servers Mgmt profile Network info Services Printers File shares Policy Internet Network Devices Configuration QoS policy Security policy Firewall Services Configuration Security Policy VPN policy
Technologies supported By Active Directory DHCP TCP/IP DNS SNTP LDAP LDIF Kerberos X.509 Dynamic Host control Protocol Network Transports Domain name system Simple Network Time Protocol Lightweight Directory Access Protocol Lightweight Data Interchange Format
Applications Windows NT interfaces Windows NT Operating system System Services Windows 2000 Operating System Virtual I/O Manager Memory Manager Cache Manager Process Manager Local Procedure Call Facility Security Reference Monitor Windows NT4 Directory Object Manager Window Manager File System Drivers Network Drivers Device Drivers Microkernel Hardware Abstraction Layer (HAL) Graphic Device Drivers Hardware
Applications ADSI Windows 2000 Operating System System Services Windows 2000 Operating System I/O Manager Cache Manager File System Drivers Network Drivers Device Drivers Virtual Memory Manager Process Manager Local Procedure Call Facility Microkernel Security Reference Monitor Hardware Abstraction Layer (HAL) Hardware Active Directory Services Object Manager Window Manager Graphic Device Drivers
DHCP TCP/IP LDAP DNS Active Directory LDIF SNTP Kerberos X.509
Features of Active Directory Information security Policy-based administration Extensibility Scalability Replication of information Integration with DNS Interoperability with other directory services Flexible querying
Active Directory - Schema Schema is a specific definition of permitted object types and attributes e.g. User Account Name Title Manager Office Location Object Attributes Attributes Attributes Attributes
Logical Components of Active Directory Organizational units Domains Trees Forests Global Catalog
Active Directory - Domain Domain Is a security boundary in the Active Directory OU properties are inherited within a domain only - not across domains Provides a replication boundary Represented by a triangle in the Active Directory diagram
Domain Modes Mixed Mode Support for Pre Windows 2000 Native Mode Support for Windows 2000 environment only
Organizational units Organizational units are Active Directory containers into which you can place users, groups, computers, and other organizational units. An organizational unit cannot contain objects from other domains. An organizational unit is the smallest scope or unit to which you can assign Group Policy settings or delegate administrative authority. Can be nested to arbitrary depth that represent the hierarchical, logical structures within the organization. This enables to manage the configuration and use of accounts and resources based on organizational model. Grouping for Account Administration
Organizational Unit Hierarchy
Example Administration Finance P&V Training Hardware Purchase Stores
Active Directory Tree Domain Tree One or more domains having relationship with a root domain Domains within a domain tree form a contiguous namespace Schema is common among all domains in a Domain Tree Security handled by Kerberos trust Users can search for all information within the Domain Tree
Domain Tree delhi.nic.in training.delhi.nic.in accounts.delhi. nic.in admin.delhi. nic.in technical.training.delhi.nic.in admin.training.delhi.nic.in
Why more than one domain? Different business locations Multinational companies Regional headquarters WAN links Slow links between major sites Reduce replication traffic Security boundaries Subsidiaries Affiliates Partners
How Many Domains? widgets.org na.widgets.org euro.widgets.org asia.widgets.org hq.na.widgets.org we.na.widgets.org ce.na.widgets.org ea.na.widgets.org uk.euro.widgets.org ge.euro.widgets.org fr.euro.widgets.org jp.asia.widgets.org oz.asia.widgets.org nz.asia.widgets.org headquarters west central east uk german france japan australia new zealand
When To Consider A Forest If the company is diverse, a forest may be the best model Creating a forest creates: Separate administrative domain trees Multiple namespaces More administrators Don t create a forest unless there is a solid business reason to do so
delhi.nic.in training.delh i.nic.in accounts.delhi. nic.in admin.delhi. nic.in assam.nic.in technical.training.delhi.nic.in admin.trainin g.delhi.nic.in training.assam. nic.in admin.assam.nic.in accounts.assam.n ic.in technical.training.assam.nic.in admin.training. assam.nic.in
Active Directory Forest Forest A set of Domain Trees Common Schema and Configuration Global Catalog Secured by Kerberos Trust Name space is non-contiguous, i.edel.com, msn.com Useful for companies with subsidiaries that require / need autonomy in administrative roles
Forest Delhi.nic.in Assam.nic.in Chandigarh.nic.in Allows companies different branches to easily work together without changing names Allows for easy merger or sale (post Windows 2000 ) Avoids political problems with administrators
Trust Relationships One-Way, Non-Transitive Trust Two-Way, Transitive Trust
One-Way, Non-Transitive Trust Trusts Trusts Domain A Domain B Domain C
Two-Way, Transitive Trust Trusts Trusts Domain A Domain B Domain C Trusts
Trusts Within Forest A B E F C D
Searching Forests and Trees Users can search for all information within the Domain Tree using a Global Catalog and the Start / Search Feature Allows for fast searching of key information in AD, without querying all of the domains individually
Active Directory - GC Global Catalog Contains a Partial replica of the information contained within each of the domains Network administrator designate which Attributes get placed in the Global Catalog and which are indexed Site Friendly searches
Global Catalog Domain Tree A DC designated as a GC has knowledge of its own domain information (which is complete) Plus it has partial information from all of the other domains in the tree
Global Catalog Schema User Account Name Title Manager Office Location Phone Division Cost Center Code Certification Expires Printer Name Mfr Model Color Duplex Asset # Paper Size Global Catalog User Account Name Title Manager Office Location Phone Printer Name Mfr Model Color Duplex
Physical Components of Active Directory Sites Domain Controllers
Sites Logon Authentication Replication scheduling
Active Directory - Site Site Relates directly to the network topology and network connectivity Defined as an area of good network connectivity Primarily affects User logon Replication traffic Site boundaries are independent of domain boundaries
Replication Protocols Replication Within a Site Uses RPC over IP Replication Between Sites Can Use: RPC over IP SMTP (if the replication occurs between domains)
Knowledge Consistency Checker configures replication connections Site Object Server Object A Server Object B NTDS Settings Object NTDS Settings Object Connection Object A B B is replication source for A Connection Object A B A is replication source for B
Reviewing design Strategy Start with one domain Reflect the business need, geography, and allow room for growth
Rules for parts Every Site, Domain, Organizational Unit (SDOU) must have a reason for it s existence Who is creating the DS object? What is its purpose? Who will administer this object? How long will the object live? Specific characteristics, special conditions
Introduction to Group Policy Group Policy Settings Group Policy Objects
Group Policy Group Policy settings define the various components of the user's desktop environment that a system administrator needs to manage. To create a specific desktop configuration for a particular group of users, you use the Group Policy snap-in. Group Policy settings are associated with selected Active Directory objects sites, domains, or organizational units
Group Policy Settings IntelliMirror Technology Specify Settings for: Registry-based policy settings Options for local, domain, and network security Central management of software installation Startup, shutdown, logon, and logoff scripts Store users folders on the network
User and computer policy User policy (settings located under the User Configuration node in Group Policy) is obtained when a user logs on. Computer policy settings are located under Computer Configuration, and are obtained when a computer boots.
Organizational unit Group Policy Domain Group Policy Site Group Policy Local Group Policy
Inheritance of Group Policy in Active Directory Site Enforce secure logon Add registry keys Domain Configure Start menu Set wallpaper OU1 Configure Start menu Specify logon script OU2 Specify logon script All domains in the site receive the same security settings Accounting receives their own Start menu and the Domain wallpaper OU1 and OU2 receive unique logon scripts
Creating a Group Policy Object dsa - [Active Directory Users and Computers] Console Window Active View Active Directory Samerica1.contoso. Builtin Computers Domain Controllers Accounting Ohio Users Help Delegate control Add members to a Group Move... Find. New All Tasks View New Window from Here Delete Rename Refresh Export List Accounting Properties General Managed By Group Policy Current Group Policy Object Links for Account Group Policy Object Links No Override Disabled Properties Help Group Policy Objects higher in the list have the highest priority. This list obtained from the primary domain controller. New Add... Edit Up Options... Delete... Properties Down Block Policy inheritance OK Cancel Apply
Managing Group Policy Object Permissions Modifying Permissions Filtering the Scope of a GPO Delegating Control with Permissions General Links Security Name User 1 (user1@samerica1.contoso.msft Phone Support (SAMER\Phone Support) Add.. Remove Permissions Allow Deny Full Control Read Write Create All Child Objects Delete All Child Objects Apply Group Policy
Examining the Group Policy Interface Group Policy Action View Tree Default Domain Policy [London.conto Computer configuration Software Settings Windows Settings Administrative Templates User Configuration Software Settings Windows Settings Administrative Templates Name Computer Configuration User Configuration
Configuring the Registry by Using Group Policy Administrative Templates Windows Components System Logon Disk Quotas DNS Client Group Policy Enable disk quotas Enforce disk quota limit Default quota limit and warning level Log event when quota limit exceeded Log event when quota warning level exceeded Apply policy to removable media Enable disk quotas Properties Policy Explain Enable disk quotas Ignore Do not implement, remove Not Configured Enabled Disabled Implement Enable disk quotas for all NTFS volumes on the computer.
Desktop Properties Setting Desktop a Target Properties Location Target Settings Target folder location Desktop Properties Target You can specify the location Settings of the Desktop folder Target Settings You can specify the location of the Desktop folder Setting: No administrative policy specified You can specify the location of the Desktop folder The Group Policy Object Setting: will have Basic no effect Redirect on the everyone s folder to the dame loc location of this folder. This folder will be redirected to Setting: the specified Advanced location. Specify An locations for various user grou example OK target Cancel path is: \\server\share\%username%. Apply This folder will be redirected to different locations based on the security group membership of the users. An example target path is \\server\share\%username% \\london\desktops\%username% Security Group Membership Group CONTOSO\acct CONTOSO\sales OK Cancel Apply Path Browse \\london\acct\%username% \\london\sales\%username% Add Edit Remove OK Cancel Apply
Configuring Folder Redirection Settings Desktop Properties? Target Setting Specify the redirection settings for Desktop. Grant the user exclusive rights to Desktop. Move the contents of Desktop to the new location. Policy Removal Leave the folder in the new location when policy is removed. Redirect the folder back to the local user profile location when policy is removed.