CS465 Winter 2023 Term

Chapter 3

Managing Active Directory Domain Services

Outline
2.1 Overview of the AD Infrastructure
2.2 Working with AD Administration Tools
2.3 Managing User Accounts
2.4 Managing Computer Accounts
2.5 Managing Groups
2.6 Using Queries to Locate Objects in AD DS
2.1 Overview of the Active Directory Infrastructure
• Components of Active Directory Domain Services
• What Are Active Directory Partitions?
• What Is Active Directory Replication?
• What Are Active Directory Sites?
• Demonstration 3.0: AD DS Installation
• Domain and Forest Functional Levels
• Operations Master Roles
• Demonstration: How to Manage Operations Master Roles
Components of Active Directory Domain Services
Forest

Global Catalog
Domain Controller

Organizational Unit
Tree

Domain
What Are Active Directory Partitions?
Active
Active Directory
Directory partitions
partitions contain
contain discreet
discreet information
information about
about
the
the AD
AD DS
DS directory
directory

Domain Partition

Configuration
Partition

Schema Partition
AD DS
DC Database

Application
Partition (optional)
 What Is Active Directory Replication?

Active
Active Directory
Directory partitions
partitions contain
contain discreet
discreet information
information about
about
the
the AD
AD DS
DS directory
directory

AD DS AD DS
DC Database Database
DC
What Are Active Directory Sites?

Active
Active Directory
Directory sites
sites are
are objects
objects stored
stored in
in the
the directory
directory
representing
representing network
network topology
topology

Site

Site Site

Site links
Demonstration: How to setup Active Directory
Domain Services
In this demonstration, you will see how to:
• Install AD DS on Windows Server 2008 R2
• Install AD DS on Windows Server 2012 R2
Domain and Forest Functional Levels
Domain
Domain and
and forest
forest functional
functional levels
levels define
define the
the level
level of
of Active
Active
Directory
Directory functionality
functionality supplied
supplied by
by all
all domain
domain controllers
controllers
within
within aa domain
domain or
or forest
forest
Domain and Forest Functional Levels (Cont’d)
Operations Master Roles
Operations
Operations Master
Master Roles
Roles are
are assigned
assigned to
to a
a server
server that
that is
is
responsible
responsible for
for performing
performing that
that role’s
role’s task
task

Forest-Wide Operation Master Roles:

• Domain Naming Master Role

• Schema Master Role

Domain-Wide Operations Master Roles

• RID Master Role

• Infrastructure Master Role

• PDC Emulator Role

Demonstration: How to Manage Operations
Master Roles
In this demonstration, you will see how to:
• Transfer an operations master role to a different
domain controller
• Seize an operations master role
 2.2 Working with Active Directory Administration Tools
• Overview of the Active Directory Administration Snap-ins
• Active Directory Administrative Center
• Demonstration: How to Manage Active Directory Using
Management Tools
• Active Directory Module for Windows PowerShell
Overview of the Active Directory Administration Snap-ins

Active
Active Directory
Directory Administration
Administration snap-ins
snap-ins consist
consist of
of four
four
different
different Microsoft
Microsoft Management
Management Console
Console snap-ins
snap-ins

• Active Directory Users and Computers

• Active Directory Sites and Services

• Active Directory Domains and Trusts

• Active Directory Schema

Active Directory Administrative Center
Active
Active Directory
Directory Administrative
Administrative Center
Center is
is a
a task-oriented
task-oriented tool
tool
based
based upon
upon Windows
Windows PowerShell
PowerShell
Demonstration: How to Manage Active Directory
Using Management Tools
In this demonstration, you will see how to:
• Manage Active Directory by using standard
administration snap-ins
• Manage Active Directory by using the Active Directory
Administration Center
 Active Directory Module for Windows PowerShell
The
The Active
Active Directory
Directory module
module for
for PowerShell
PowerShell provides
provides a
a self-
self-
contained
contained package
package ofof Active
Active Directory-relate
Directory-relate cmdlets
cmdlets that
that
allow
allow you
you to
to administer
administer ADAD DS
DS using
using PowerShell
PowerShell

The Active Directory Module for Windows PowerShell provides full

administrative functionality in these areas:

• User Management
• Computer Management
• Group Management
• Organizational Unit Management
• Password Policy Management
• Searching and modifying objects
• Forest and Domain Management
• Domain Controller and Operations Master Management
• Managed Service Account Management
2.3 Managing User Accounts
• What Is a User Account?
• User Account Password Options
• User Account Attributes
• Demonstration: Configuring User Accounts
• What Is a User Account Template?
What Is a User Account?

A
A user
user account
account is
is an
an object
object that
that enables
enables authentication
authentication and
and
access
access to
to local
local and
and network
network resources
resources

A user account can be stored:

In AD DS (AD DS account)
AD
AD DS
DS accounts
accounts enable
enable log
log on
on to
to domains
domains and
and provide
provide
access
access to
to shared
shared network
network resources
resources

On the local computer (local account)

Local
Local accounts
accounts enable
enable log
log on
on to
to a
a single
single computer
computer and
and
local
local resources
resources

Creating a user account also creates a SID

User Account Password Options
User
User account
account password
password options
options help
help to
to mitigate
mitigate the
the threat
threat of
of
unauthorized
unauthorized account
account access
access

Policies Default Settings

Controls complexity and lifetime of passwords

• Complex Password: enabled
• Enforce password history: 24
• Maximum password age: 42 days
Password
• Minimum password age: 1 day
• Minimum password length: 7 characters
• Store password using reversible encryption: disabled

Controls how many incorrect attempts can be made

• Lockout threshold: 0 invalid logon attempts
Account Lockout
• Lockout duration: not defined
• Reset account lockout after: not defined
User Account Attributes
User
User account
account attributes
attributes control
control how
how the
the user
user account
account interacts
interacts
with
with the
the environment
environment

Commonly used User Account sections:

• General

• Account

• Profile

• Organization

• Member Of

• Dial-in
Demonstration: Configuring User Accounts
In this demonstration, you will see how to do the following:
• Create and configure an AD DS user account by using
Active Directory Users and Computers
• Create and configure an AD DS user account by using
Active Directory Administrative Center
• Create and configure an AD DS user account by using
Windows PowerShell
What Is a User Account Template?
A
A user
user account
account template
template is
is an
an account
account with
with common
common properties
properties
already
already configured
configured

User accounts templates take advantage of

similarity between user accounts

To use user templates:

Create several typical users reflecting various groups within
your organization
Copy the user account most like the new account you want to
create
Modify the attributes: names, e-mail address, logon name, etc.
 2.4 Managing Computer Accounts
• Considerations for Joining a Computer to a Domain
• What Is Offline Domain Join?
• Tools Used to Automate Computer Account Creation
• Managing Computer Accounts
Considerations for Joining a Computer to a Domain
The following points need to be considered when joining a computer
to a domain:

• A computer object must be created in the directory service and

placed in a container or organizational unit

• You must have appropriate permissions in the domain to create

computer objects in AD DS

• Only members of the local Administrators group can change a

computer’s domain or workgroup membership
What Is Offline Domain Join?

Offline
Offline domain
domain join
join is
is a
a new
new process
process can
can be
be used
used by
by computers
computers
that
that run
run Windows
Windows 7 7 or
or Windows
Windows Server
Server 2008
2008 R2
R2 to
to join
join a
a domain
domain
without
without contacting
contacting a
a domain
domain controller
controller

Using Djoin.exe to Join NYC-CL1 to the Contoso.com domain:

• On any Windows Server 2008 R2 or Windows 7 computer joined to
the domain, run the following command:
Djoin /provision /domain “Contoso” /machine “NYC-CL1” /savefile blob.txt

• Copy the blob.txt file to NYC-CL1 and run this command from NYC-
CL1, even if disconnected from the domain

Djoin /requestODJ /loadfile blob.txt /windowspath %systemroot% /localos

Tools Used to Automate Computer Account Creation

There
There are
are a
a number
number of
of tools
tools that
that can
can be
be used
used to
to automate
automate the
the
computer
computer account
account creation
creation process
process

Tool Examples:

• DSAdd.exe

• Netdom.exe

• CSVDE

• LDIFDE

• Windows PowerShell

• Windows System Image Manager

Managing Computer Accounts

Managing
Managing computer
computer accounts
accounts requires
requires several
several management
management tasks
tasks

Adding computer accounts Modifying attributes Deleting computer

accounts

Disabling computer Resetting computer

accounts accounts
2.5 Managing Groups
• Importance of Groups
• Understanding Role-Based Management Using Groups
• Group Types and Scope
• What Are Global Groups?
• What Are Universal Groups?
• What Are Domain Local Groups?
• What Is Group Nesting?
Importance of Groups
Access management Benefits of using Scalability of groups
without groups groups
Understanding Role-Based and Rule Based Management Using
Groups

ProductionDept

Executives

ACL_Read_Production_Folders

MarketingDept
Group Types and Scope

Group type defines what the group

can be used for:
• Security

• Distribution

Group scope defines how the group

operates in the domain environment

• Domain Local

• Global

• Universal
What Are Global Groups?

Members:
•• User
User and
and Computer
Computer accounts
accounts from
from the
the same
same
domain
domain as
as the
the global
global group
group
•• Global
Global groups
groups from
from the
the same
same domain
domain as
as the
the global
global group
group

Permissions:
 Global
Global groups
groups can
can be
be assigned
assigned permissions
permissions in
in any
any domain
domain in
in
the
the forest
forest or
or any
any trusting
trusting domain
domain

Usage:
•• Manage
Manage directory
directory objects
objects that
that require
require daily
daily maintenance,
maintenance, such
such
as
as user
user and
and computer
computer accounts
accounts
•• Group
Group users
users who
who have
have similar
similar network
network access
access requirements
requirements

Can be converted to:

•• Universal
Universal (if
(if it
it is
is not
not a
a member
member of
of any
any other
other global
global groups)
groups)
What Are Universal Groups?
Members:
•• Global
Global groups
groups from
from any
any domain
domain in
in the
the forest
forest
•• User
User and
and Computer
Computer accounts
accounts from
from any
any domain
domain
in
in the
the forest
forest
•• Universal
Universal groups
groups from
from any
any domain
domain inin the
the forest
forest

Permissions:
 Can
Can be
be assigned
assigned permissions
permissions in
in any
any domain
domain in
in the
the forest
forest or
or
any trusting domain
any trusting domain

Usage:
•• Use
Use to
to combine
combine groups
groups that
that span
span domains
domains

Can be converted to:

•• Domain
Domain local
local
•• Global
Global (if
(if no
no other
other universal
universal groups
groups exist
exist as
as members)
members)
What Are Domain Local Groups?
Members:
Members:
•• Accounts
Accounts from
from any
any domain
domain inin the
the forest
forest or
or
any
any trusted
trusted domain
domain
•• Global
Global groups
groups from
from any
any domain
domain in in the
the forest
forest or
or
any
any trusted
trusted domain
domain
•• Universal
Universal groups
groups from
from any
any domain
domain in in the
the forest
forest or
or any
any trusted
trusted domain
domain
•• Domain
Domain local
local groups,
groups, but
but only
only from
from the
the same
same domain
domain as
as the
the domain
domain
local
local group
group

Usage:
Usage:
•• Use
Use to
to define
define and
and manage
manage access
access to
to resources
resources in
in a
a single
single domain
domain

Permissions:
Permissions:
 Member
Member permissions
permissions can
can be
be assigned
assigned only
only within
within the
the same
same domain
domain as
as
the domain local group
the domain local group

Can
Can be
be converted
converted to:
to:
•• Universal
Universal (if
(if no
no other
other domain
domain local
local groups
groups exist
exist as
as members)
members)
What Is Group Nesting?

Nesting
Nesting allows
allows for
for groups
groups to
to be
be
members
members ofof other
other groups
groups

Benefits of using a nesting strategy in managing AD DS groups:

Groups that are members of other groups reduce

replication

Nested groups provide for simplified management

When
When nesting,
nesting, apply
apply the
the AGDLP
AGDLP or
or AGUDLP
AGUDLP principle
principle
2.6 Using Queries to Locate Objects in AD DS

• Options for Locating Objects in AD DS

• Demonstration: Searching AD DS Using GUI-
Based Tools
• Demonstration: Searching AD DS Using
Command-Line Tools
Options for Locating Objects in AD DS
Sorting:
Sorting: use
use Searching:
Searching: provide
provide Command-line:
Command-line:
column
column headings
headings inin the
the criteria
criteria for
for dsquery
dsquery parameter
parameter
Active
Active Directory
Directory which
which you
you want
want to
to
Users
Users and
and search
search
Computers
Computers to to find
find
the
the objects
objects based
based
on
on the
the columns
columns

Windows Server 2008 R2 options:

Active Directory module for Windows PowerShell

Active Directory Administrative Center

Demonstration: Searching AD DS Using GUI-Based
Tools
In this demonstration, you will see how to:
• Use sorting in Active Directory Users and Computers to
locate AD DS objects
• Use saved queries in Active Directory Users and
Computers to locate AD DS objects
• Use Active Directory Administrative Center to locate AD
DS objects
Assignment 2 later in the course shall cover
• Top level Network Design
• Designing Sites
• Active Directory Replication
• Managing Trusts
• Routing between sites (subnets)