Use Global Group to hold accounts as members. Avoid group nesting to the minimum to avoid confusion
Use Domain Local Groups to provide access to resources in specific domain then make domain local groups members of access control list for specific resources in the domain, such as share folders & printers
Use Universal Groups to provide extensive access to resources, particularly when Active Directory contains trees and forest, or to simplify access when there are multiple domains
Sunday, October 16, 2011
Security Group Management
Types of groups and associated scopes:
Local: Stand-alone servers that are not part of any domain
Domain local: Used when there is a single domain or to manage resources in a particular domain so that global and universal groups can access those resources
Global: Used to manage group accounts from the same domain so that those accounts can access resources in the same and in other domains
Universal: Used to provide access to resources in any domain within the forest.
Security groups
Enable access to resources on a) a stand-alone server or b) in Active Directory
Distribution groups
Used for e-mail or telephone lists to provide a quick, mass distribution of information
Local: Stand-alone servers that are not part of any domain
Domain local: Used when there is a single domain or to manage resources in a particular domain so that global and universal groups can access those resources
Global: Used to manage group accounts from the same domain so that those accounts can access resources in the same and in other domains
Universal: Used to provide access to resources in any domain within the forest.
Security groups
Enable access to resources on a) a stand-alone server or b) in Active Directory
Distribution groups
Used for e-mail or telephone lists to provide a quick, mass distribution of information
User Account Management
There are 2 ways that we can create user accounts:
a) Accounts that are set up through a stand-alone server that does not have Active Directory installed
b) Accounts that are set up in a domain when Active Directory is installed
a) Accounts that are set up through a stand-alone server that does not have Active Directory installed
b) Accounts that are set up in a domain when Active Directory is installed
Transitive trust
- If A and B have a trust and B and C have a trust, A and C automatically have a trust as well
- Transitive and 2 ways trust relationship allow any new domain it the tree to have full access to any object in any child/parent domain
- Authentication to different object is enabled using Kerberos
Sunday, October 2, 2011
Account Management
There are 2 ways that we can create user accounts:
1) Accounts that are set up through a stand-alone server that does not have Active Directory installed
Install Local Users and Groups MMC snap-in:
For standalone servers that do not use Active Directory
2) Accounts that are set up in a domain when Active Directory is installed.
Use Active Directory Users and Computers tool
From the Administrative Tools menu or as an MMC snap-in
Create each new account by entering account information and password controls
Domain users have access to domain any network resource in the domain (as long as they are authorized)
1) Accounts that are set up through a stand-alone server that does not have Active Directory installed
Install Local Users and Groups MMC snap-in:
For standalone servers that do not use Active Directory
2) Accounts that are set up in a domain when Active Directory is installed.
Use Active Directory Users and Computers tool
From the Administrative Tools menu or as an MMC snap-in
Create each new account by entering account information and password controls
Domain users have access to domain any network resource in the domain (as long as they are authorized)
Containers in Active Directory
Forests
Highest level in an Active Directory
One or more Active Directory trees that are in a common relationship
Forest Main Characteristics:
Active Directory functions supported forest-wide
The functional levels are:
Windows 2000 native forest functional level
Provides active directory functions compatible with a network that has a combination of Windows Server 2000, Window Server 2003 and Windows Server 2008 DCs
Windows Server 2003 forest functional level
Intended for Windows Server 2003 and 2008 DCs only
Windows Server 2008 forest functional level
Contains only Windows Server 2008 DCs
Trees
Domains
Organizational units (OUs)
Grouping of related objects within a domain (Similar to folders and sub-folders)
Allow the grouping of objects so that they can be administered using the same group policies
Trusted domain
Granted access to resources
Trusting domain
One granting access to another domain
Highest level in an Active Directory
One or more Active Directory trees that are in a common relationship
Forest Main Characteristics:
- The trees can use disjointed namespace
- All trees use the same schema
- All trees use the same global catalog
- Domains enable administration of commonly associated objects, such as accounts and other resources within the forest
- Two-way transitive trust are automatically configured between domains within a single forest
Active Directory functions supported forest-wide
The functional levels are:
Windows 2000 native forest functional level
Provides active directory functions compatible with a network that has a combination of Windows Server 2000, Window Server 2003 and Windows Server 2008 DCs
Windows Server 2003 forest functional level
Intended for Windows Server 2003 and 2008 DCs only
Windows Server 2008 forest functional level
Contains only Windows Server 2008 DCs
Trees
- Contains one or more domains that are in a common relationship
- Domains in a tree typically have a hierarchical structure whereas parent domain at the top can have multiple child domains under the parent domain
- These domains use the contiguous namespace format in that the child domain inherit a portion of their namespace from the parent domain
Domains
- Logical partition within an Active Directory forest
- Primary container within Active Directory
- It groups objects that exist in the domain
- To provide an AD partition to house objects
- To establish a set of information to be replicated from one DC to another one
- To expedite management of a set of objects
- Small and Medium Size companies should have one Domain
- Large companies should have more than one Domain
Organizational units (OUs)
Grouping of related objects within a domain (Similar to folders and sub-folders)
Allow the grouping of objects so that they can be administered using the same group policies
- Such as security and desktop setup
- Also, OUs allow to delegate administration to a different user
- Group policies can be inherit into different levels
Trusted domain
Granted access to resources
Trusting domain
One granting access to another domain
Namespace use Contiguous and Disjoined
Active Directory use contiguous and Disjoined namespaces.
Contiguous namespace
Every child object contains the name of the parent object
I.e. msdn2.microsoft.com (the parent object is microsoft.com)
Disjointed namespace
Child name does not resemble the name of its parent object
ie www.hotmail.com is the child of msn.com
Contiguous namespace
Every child object contains the name of the parent object
I.e. msdn2.microsoft.com (the parent object is microsoft.com)
Disjointed namespace
Child name does not resemble the name of its parent object
ie www.hotmail.com is the child of msn.com
3 main components of Active Directory
1) Schema
Defines objects and the information pertaining to those objects that can be stored in Active Directory
An object can be a user account, a printer, a computer, etc
Each object in active directory is defined through the schema
Schema information for objects in a domain is replicated on every DC
Each object have multiple Attributes
For a User Account, an attribute will be:
User Name
Email
Password
Address
2)Global Catalog
Stores information about every object within forest
First DC configured in a forest becomes global catalog
Can change to another DC
Purposes:
3)Name Space
Name resolution (DNS)
Defines objects and the information pertaining to those objects that can be stored in Active Directory
An object can be a user account, a printer, a computer, etc
Each object in active directory is defined through the schema
Schema information for objects in a domain is replicated on every DC
Each object have multiple Attributes
For a User Account, an attribute will be:
User Name
Password
Address
2)Global Catalog
Stores information about every object within forest
First DC configured in a forest becomes global catalog
Can change to another DC
Purposes:
- Authentication users when they log on (Universal Group Membership)
- Uses Cached Credentials
- Forest-wide searches and access to all resources in all domains
- Replication of key AD elements
- Keeps copy of most used attributes for quick access
3)Name Space
Name resolution (DNS)
- Converts computer and domain names to IP addresses
- We need to have at least one DNS server in the domain
- Active Directory use DNS to find and interact with different network resources
- DNS and Active Directory can reside in the same physical server
- Logical area on a network that contains directory services and named objects
- Has the ability to perform name resolution (forward and reverse namespaces within the DNS)
Active Directory Basics
Active Directory Directory Service (AD DS)
Houses information about all network resources:
Domain controllers (DCs)
Member servers
Do not have AD installed (therefore they are not DCs)
Domain
Houses information about all network resources:
- Servers, printers, user accounts, groups of user accounts, security policies, and other information
- Central listing of network resources
- Quick access to network resources
Domain controllers (DCs)
- Servers that have the AD DS server role installed
- A Domain can have multiple DCs for Fault Tolerance and Load Balancing
Member servers
Do not have AD installed (therefore they are not DCs)
Domain
- Fundamental component or container
- Holds information about all network resources that are grouped within the domain (ie, all user accounts in the domain and all LAN Printers)
- Each DC is equal to every other DC
- Each DC has a full list of all networks resources in the domain
- Object defined in the DC are replicated between DCs
- The volume of information to be replicated can be limited if required. This is a good option for slow links
- Advantage : If one DC goes down, no network interruption
Subscribe to:
Posts (Atom)
