Introduction to Active

Directory
Tech Coordinator Feast
2007

Joshua Halls ( [email protected] )

Systems Admin – Bloomington Public
Schools
Active Directory – The
Concept
• ‘Directory’ Defined (webster):
– 1 a : a book or collection of directions ,
rules, or ordinances b : an alphabetical or
classified list (as of names and addresses)
– 2 : a body of directors
• ‘Directory’ Translated:
– An organized place to look stuff up
Active Directory – The
Concept
• AD is an evolution of the flat directory
structures that were prevalent up to the
late 90’s
• AD allows a hierarchical domain
structure to be created that mirrors an
organizations management or logical
layout
Active Directory – Value
Proposition
• Centralizes management of network
resources
• Provides a means to delegate
administrative control to various groups
or users
• Enables organizations to utilize single
sign-on (same username and password)
Active Directory -
Components
• Domain – a collective unit of management
– Includes users, computers, servers, etc.
– Provides directory (lookup) services
– Provides authentication services
• Forest – a collection of one or more
domains
• Schema – a definition of attributes that
comprise an object
Active Directory -
Components
• Domain Controller – a computer that
houses Active Directory and services
related requests
• Global Catalog – a read-only collective
subset of AD objects and attributes
• Trust relationship – a logical relationship
that ties a workstation to a domain or a
domain to another domain
Active Directory -
Components
• Account – a object in AD that represents a real
world object (in most cases)
– User Account – an object that represents a user
– Computer Account – an object that represents a
computer (workstation or server)
• Group – a collection of user accounts, computer
accounts and/or other groups. Can be security
groups or distribution groups (for e-mail).
• Organizational Unit – a container that houses User
Accounts, Computer Accounts, Groups, Printers,
etc.
Active Directory –
Components
• Group Policy – a collection of tools and
standards used to deploy configuration
settings and applications to users
and/or computers
• Group Policy Object – a specific
collection of settings
Active Directory -
Components
• DNS – Domain Naming System – a
standards-based common service that
maps host names to IP addresses (and
then some)
– DNS is the core service that allows AD
clients and servers to locate resources
within the directory structure
Active Directory -
Organization
• Your AD hierarchy can follow your
organization’s geographical, business or a
hybrid.
– Organize your OU’s for management
purposes – the hybrid model (by building, then
role)
– Group machines with similar roles/functions
(administrators, classrooms, labs, public use
machines)
Active Directory -
Organization
• Keep Group Policy Objects simple – (e.g.
keep all IE settings in one GPO)
• Plan your OU’s for inheritance – remember by
default GPO’s will be inherited by child OU’s
• Do NOT link GPO’s to the domain – ONLY at
the OU level.
• TEST TEST TEST – create a test set of OU’s
and populate it with Computers and Users
Active Directory
Management
Active Directory Users and
Computers

– Groups
• Two types – Security and Distribution
• Domain Local – Include Global/Universal
Groups, Applies to Local Domain only
• Global – Includes Only Domain Local
Groups, Applies to any Domain in the forest
that is trusted
• Universal – Included Anywhere, Applies
Anywhere
Active Directory Users and
Computers

Users
– Login/out Options
– Login script - c:\WINDOWS\SYSVOL\sysvol\
district87.org\scripts
– Home Directory Setup
Active Directory Users and
Computers

• Shares/Permissions
– Most Restrictive = Winner
– Denied = Denied NO MATTER WHAT
– 2003 Shares now default to READ ONLY instead
of Full Control
– Rule of Thumb, Control access through folder
permissions not share permissions.
Active Directory Users and
Computers
– Creating OUs
» Reasons for OUs
» Separating Computers and Users
– FSMO Roles
» Operations Manager
» RID
» PDC Emulator
» Infrastructure
Active Directory Sites and Services

• Quick overview of what sites are and why

they are important
• License site server
• Global Catalog
Active Directory Domains and Trusts

– Quick overview
– FSMO Roles
» Domain Naming Operations Manager
Active Directory Schema

• Install - regsvr32 schmmgmt.dll

ADSI Edit
• Install – Windows 2000/2003 Support Tools
(On the CD Under /Supports/Tools)
• Quick overview
• MMC
– Brief Overview
– Useful for putting together a common set of tools for
different levels of use
• Adminpak.msi
• OU Permissions
– Turn on Advanced Features in the View Menu
– Ex: Setup a group of staff that can ONLY
change/reset student passwords
• Set permissions in User Objects, Properties Tab
– Read/Write Account Restrictions
• Set permissions in User Objects, Object Tab
– Change Password
– Reset Password
• Adding a new AD Server
– Run dcpromo
– Setup a new site if it is replicating data
over a WAN link
– Setup extra services if needed
• Removing an AD Server Gracefully
– Transfer All 5 FSMO Roles and Global Catalog
Role
– Transfer any services such as
DHCP/WINS/DNS/RIS to another machine.
– Use dcpromo to demote the machine
• Removing an AD Server Ungracefully
– http://www.petri.co.il/transferring_fsmo_roles.htm
– Change Global Catalog Server to a different server
– Delete out the old Server in AD Management or
using ADSI Edit.
That is it!!!!!

• Yes I used 5 !!!!!

• Questions?
 Introduction to Active
Directory
Tech Coordinator Feast
2007

Joshua Halls ( [email protected] )

Network Admin – Bloomington Public Schools