Scribd
Upload
41 views

Active Directory - Users

- Active Directory (AD) uses domain controllers (DCs) to create logical containers that organize servers and make management easier. It is important to have multiple DCs for redundancy, fault tolerance, and load balancing. - AD is a directory service that uses DCs to create containers. Its performance depends on server hardware, network capabilities, and WAN connection type. It should be tested before live implementation. - User and computer objects stored in AD allow access to domain resources. Organizational units help manage inheritance and administration can be decentralized by assigning rights to OUs. Groups are used to efficiently grant permissions to multiple users and computers.

Uploaded by

varday
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
41 views

Active Directory - Users

- Active Directory (AD) uses domain controllers (DCs) to create logical containers that organize servers and make management easier. It is important to have multiple DCs for redundancy, fault tolerance, and load balancing. - AD is a directory service that uses DCs to create containers. Its performance depends on server hardware, network capabilities, and WAN connection type. It should be tested before live implementation. - User and computer objects stored in AD allow access to domain resources. Organizational units help manage inheritance and administration can be decentralized by assigning rights to OUs. Groups are used to efficiently grant permissions to multiple users and computers.

Uploaded by

varday
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 31

ACTIVE DIRECTORY

WHERE IT ALL GOES DOWN!!


WHAT A DOMAIN CONTROLLER DOES

• DCs create logical containers


• These containers organize a server
• Containers also make it easier to manage a server
DCS

• You should have mote than one DC


• DCs provide redundancy
• DCs provide falt tolerance
• DCs provide load balancing
AD IS A DIRECTORY SERVICE

• AD is used to create logical Containers


• Its performance is affected by
• server hardware
• Network capabilities
• Also type of WAN connection
• Be sure to test AD before implementing in live enviorment
ADDING DCS

• Installation considerations
• Use static IP address
• If adding to existing domain use domains’’s DNS server
• Don’t allow the computer to add one automatically
ADDS

• Adding the ADDS role dosen’t auto make the server a DC T or F


• Adding the ADDS role only preps the server for the conversion process T or F
• Once the ADDS role is installed, the server can not be promoted to a DC T or F
PROMOTING TO A DC

• After the ADDS role, the ADDS installation wizard automatically comes up
• Create a new forest with a DC
• New DCs can be added to existing domains
• Child domains can be created in existing domain
LAB

• Create child DC in existing domain


• Check to make sure you did the lab correctly
REMOVING A DC

Using the Remove roles and features wizard


Using PowerShell
Uninstall-ADDSDomainControler –ForceRemoval –LocalAdministratorPassword <password> - Force
REMOVE YOUR AD DS - LAB

• Add roles and features


• Don’t forget to demote server
• First demote
• Then remove ADDS and DNS
DNS AND AD DS

• DNS is essential to ADDS


• The DNS record is
• used to locate DCs
• Used to locate ADDS
• ADDS needs access to DNS because registration is handled auto upon creation
REGISTRATION CONCERNS

• Failed registration can have negative effects


• Computers can’t use the controller to join the domain
• Existing domain members wont be able to log on
• DCs can’t replicate with a failed controller
TESTING REGISTRATION

• Registration can be tested with a CLI command


• Dcdiag /test:registerindns /dnsdomain:<domain name> /v
CONFIGURATION OPTIONS OF DNS

• Install DNS services on the computer being configured


• Or
• Host the DC on a different DNS server
USER OBJECTS

• User accounts are the main means of accessing AD resources


• There are several types of accounts:
• Local users
• Can only access resources on current computer

• Are not replicated to other computers

• No access to AD
USER OBJECTS
• Domain users
• Access to AD
• Replicated to other computers
• Built-in accounts
• Auto created on server 2012
• Admin
• On a stand-alone server, this account has full control of files on the local server
• On a DC, this account has full control of the entire domain
• On either server, this account cannot be deleted, but it can be renamed or disabled.
• Guest acct.
• Can be local or domain users
• Stand alone servers: local user accounts
• DCs; domain user acct
SECURITY GUIDELINES
• Admin acct.
• Rename the Admin account
• Set a strong password on the admin acct
• Limit how who knows acct PW
• Don’t use it for daily, non admin tasks
• Guest acct.
• Is intended only to provide temp network access
• Cannot be deleted
• Is disabled by default
• Not assigned a default password
• Create unique accounts for temp users
• Rename the guest account after enabling it to be used
• Don’t use the acct name GUEST for temp users
• Set strong passwords
CREATE USERS

• Tools
• AD u and c
• Or
• Administrative center
CONT

• User 1
• User 2
• User 3
• User 4
LAB CONT.

• Create a user template


• Should we remove users when they are no longer with our organization?
COMPUTER OBJECTS

• AD tracks everything on a network.


• Two things are needed to access a domain:
• A user account and password
• A recognized computer object
COMPUTER OBJECTS STORED IN AD

• Computer object specifications


• Define the properties of a computer
• Specify the computers name
• Specify where the pc is located
• Specify who is able to use computer
CONT.

• Computer objects inherit group policy settings


• Computer objects can be members of groups
• Members of groups will inherit group permissions
COMPUTERS PRIMARILY AUTHENTICATED

• Netlogon on the client contacts netlogon on the domain


• Once verified, a channel is opened between computers
• A secure channel is used to connect to the domain
• The client must have a user account in the domain
CREATE COMPUTER OBJECTS LAB

• Computer 1
• tools
• Computer 2
• AD
• Computer 3
• template
DISABLE USER ACCOUNT

• Disable an acct.
• Look at the down error
WHAT ARE ORGANIZATIONAL UNITS?

• OUs are objects created to manage inheritance in AD


• By default, only 1 OU is called the DCOU
• All other Ous must be created separately
• Ous are not considered security priccipals
• You cannot assign access permissions based on Ous.
• Groups are special Ous that allow assigning permissions
DECENTRALIZED ADMIN

• You can assign user admin rights to an OU


• This allows ther user to do admin tasks on the assigned OU.
• This won’t allow the user to do admin tasks on the whole domain
• This minimizes the number of users with global admin rights
• This limits the damage to a single OU if a mistake is made
CREATE OU LAB

• Create Ous
• Delegate control of OU
WORKING WITH GROUPS

• Groups are collections of users


• Can contain other AD objets
• Work as security principals
• Assign permissions to a large number of users
• Can be members of more than one group
GRANTING RIGHTS

• Groups give rights to multiple users


• You can assign user access to a specific resource by adding that resource to a group
• You can change or remove acess for all users in a group at one time by removing that resources from
the group

You might also like