2. Active Directory Domain Services
⢠Active Directory is a directory service, and it is the role of a
directory service to maintain information about enterprise
resources, including users, groups, and computers.
⢠A directory service is the software system that stores,
organizes and provides access to information in a directory.
⢠It helps administrators centralize creation of users and
groups, and specify roles and access levels for IT resources
across the company network.
⢠This greatly simplifies the task of administrators, as they
save the effort of managing administration for multiple
systems separately for each user.
2
3. Windows server Basic Terminology
ďą Domain Controllers
⢠Domain controllers (DCs) host perform the identity and
access management in a Microsoft Windows enterprise.
⢠Any server that has AD(Active Directory) installed
becomes a DC. In a domain one domain act as the primary
domain controller while the other act as a backup domain
controller.
ďą Functions of DC
⢠Store a complete copy of all the objects related to a single
domain. It also maintains the change made to the objects
and updates these changes on other DC in the same domain.
⢠Provides fault tolerance, Fault tolerance means if one DC
is offline, another can provide all the required function to
AD.
⢠Manage all user interaction within a domain, such as
finding AD object and validating user authentication.
3
4. ContâŚ
⢠Active Directory enables you to configure a domain and a
forest with a single domain controller.
⢠Roles Wizard in Server Manager is used to install Active
Directory Domain Services (AD DS).
⢠Then the Active Directory Domain Services Installation
Add Wizard is used to create the first DC in the forest.
⢠Additional domain controllers are used to, create a level of
fault tolerance in the event any one DC fails, or provide
authentication in remote sites.
E.g.: DBU.com
4
5. ContâŚ
ďąDomain
⢠A domain is a core administrative unit of a network
structure.
⢠It is a logical grouping of computers that share a common
directory database and security system.
⢠Object stored in a domain are considered vital to network.
⢠These object are resources needed by network user to
perform task. The object can be printer, document, database
or user.
⢠A domain act as a security boundary and allow access to
domain object.
5
6. ContâŚ
ďąTree
⢠A tree is a hierarchical collection of one or more domain, which
is created by adding one or more child domain to an existing
parent domain.
ďą Child Domain
⢠You may want to create a child domain and then delegate the
Domain Name System (DNS) namespace to a domain controller
located in this child domain for any the following reasons:
E.g. CS.DBU.com
DBU.c
om
IT.DBU.co
m
CS.DBU.c
om
First-
year.CS.DBU.com
6
7. ContâŚ
ďą Understanding Active directory objects
⢠Active Directory is a directory service, to maintain information
about enterprise resources, including users, groups, and
computers.
⢠Resources are divided into OUs (organizational unit) to
facilitate manageability and visibilityâthat is, they can make it
easier to find objects
⢠A user requires an Active Directory user account to log on to a
computer or to a domain.
⢠The account establishes an identity for the user; the operating
system then uses this identity to authenticate the user and to
grant him or her authorization to access specific domain
resources.
7
8. ContâŚ.
ďą Organizational units (OUs) are administrative containers
within Active Directory that are used to collect objects that share
common requirements for administration, configuration, or
visibility.
ďą Groups are an important class of object because they are used to
collect users, computers, and other groups to create a single
point of management.
⢠The most straightforward and common use of a group is to grant
permissions to a shared folder.
ďą Users in a domain often share many similar properties.
⢠For example, all sales representatives can belong to the same
security groups, log on to the network during similar hours, and
have home folders
8
9. ContâŚ
ďą Computer
⢠Similar with user object, computer are represented as account and
object in AD.
⢠A computer also logs on to a domain.
⢠The computer object contains a name appended with a dollar
sign, e,g COMP$, and password that is required when you join
the computer to a domain.
⢠Each computer that need to access network resource must have a
unique computer account in the network.
ďąForest
⢠A forest is collection of one or more independent domain tree.
9
10. server installation
⢠Microsoft releases all of its operating systems in multiple
editions, which provides consumers with varying price
points and feature sets.
ďą Windows Server 2012 R2 Datacenter The Datacenter
edition is designed for large and powerful servers with up
to 64 processors and include fault-tolerance features such
as hot-add processor support.
ďą Windows Server 2012 R2 Standard The Standard edition
includes the full set of Windows Server 2012 R2 features
and differs from the Datacenter edition only in the number
of virtual machine (VM) instances permitted by the
license.
ďą Windows Server 2012 R2 Essentials The Essentials
edition includes nearly all the features in the Standard and
Datacenter editions; it does not include Server Core,
10
11. ContâŚ
â Windows Server 2012 R2 Foundation The Foundation edition is
a scaled-down version of the operating system; it is designed for
small businesses that require only basic server features, such as file
and print services and application support.
No virtualization rights, and is limited to 15 users.
⢠Installation requirements
⢠If your computer does not meet the following hardware
specifications, Windows Server 2012 R2 will not install correctly
(or possibly at all):
ď 1.4-GHz 64-bit processor
ď 512 MB RAM
ď 32 GB avalable disk space
ď Super VGA (1024 x 768) or higher resolution monitor
ď Keyboard and mouse (or other compatible pointing device)
ď Internet access
11
12. Choosing installation options
⢠Windows Server 2012 R2 provides installation options that
enable administrators to keep the unnecessary resources
installed on a server to a minimum.
ďą Using Server Core
⢠Windows Server 2012 R2 includes an installation option that
minimizes the user interface on a server.
⢠When you select the Windows Server Core installation option,
you will install a stripped-down version of the operating system.
⢠There is no Start menu, no desktop Explorer shell, no Microsoft
Management Console (MMC), and virtually no graphical
applications.
⢠All you see when you start the computer is a single window with
a command prompt.
12
13. WHAT IS SERVER CORE?
⢠Server Core is not a separate product or edition. It is an
installation option included with the Windows Server 2012 R2
Standard edition and the Windows Server 2012 R2 Datacenter
edition.
⢠There are several advantages to running servers using Server Core:
â Hardware resource conservation Server Core eliminates some of
the most memory-intensive and processor-intensive elements.
â Reduced disk space Server Core requires less disk space for the
installed operating system elements, which maximizes the utilization
of the serverâs storage resources.
13
14. ContâŚ
â Reduced patch frequency The graphical elements of
Windows Server 2012 R2 are among the most frequently
updated, so running Server Core reduces the number of
updates that administrators must apply.
⢠Fewer updates also mean fewer server restarts and less
downtime.
â Reduced attack surface The less software there is running
on the computer, the fewer entrance points for attackers to
exploit.
⢠Server Core reduces the potential openings presented by the
operating system, increasing its overall security.
14
FIGURE 1-1 The default Server Core interface
15. Window server 2012 installation(GUI)
1. Start the computer then insert the window server 2012 installation DVD in
to DVD drive.
2. Reboot the computer, installation wizard appears as shown.
3. Click next button. The install windows wizard now contain an installation now
button as shown.
4. Select the language for installation.
15
5. Click install now button to start installation of windows server 2012, then type your
product key for activation .
16. ContâŚ
6. Select window server edition and click next button
16
7. Select type of window server installation. (costume or
upgrade)
17. Migrating roles
⢠In addition to installing server we can migrate a server from one
to another.
⢠Migration is the preferred method of replacing an existing
server with one running Windows Server 2012 R2.
⢠Unlike an in-place upgrade, a migration copies vital information
from an existing server to a clean Windows Server 2012 R2
installation.
⢠By using the Windows Server Migration Tools and migration
guides supplied with Windows Server 2012 R2, you can migrate
data between servers under any of the following conditions:
ďą Between versions You can migrate data from any Windows
Server version from Windows Server 2003 SP2 to Windows
Server 2012 R2.
⢠This includes migrations from one server running Windows
Server 2012 R2 to another.
17
18. ContâŚ
â Between platforms You can migrate data from a 32-bit or
64-bit server to a 64-bit server running Windows Server 2012
R2.
â Between editions You can migrate data between servers
running different Windows Server editions(Data center to
standard ).
â Between physical and virtual instances You can migrate
data from a physical server to a virtual one, or the reverse.
â Between installation options You can migrate data from one
server to another, even when one server is using the Server
Core installation option and the other is using the Server with a
18
19. Users and Group management
⢠Why Different Users?
â Users create data
⢠Privacy should be ensured
â Different privileges for different activities
⢠Administrators
⢠Regular Users
⢠Guests
⢠Why User Management?
â We must enforce policy based on the user or user
role
⢠User management
â Creating, modifying and deleting users
â Granting and Revoking permissions to users
19
20. Users managing
20
⢠Security policy should be in place
â To define what to share and
â How to share it.
⢠Local User Management
⢠No user management server
is used
⢠User accounts are created on
the host itself
⢠Each host is responsible for
managing its user
⢠Security policies are defined
(and enforced) for the users
created on the host
⢠Centralized User
Management
⢠Dedicated server(s) manage
user accounts
⢠User accounts are created on
the server
⢠The server manages the users
⢠Security policy is defined on
the server and is applied
universally
⢠Specific Protocol â LDAP is
used for communication
between hosts and the server
21. Managing Users
â You can create user accounts manually or by writing
scripts
ď§ To create accounts manually, you use the Active
Directory Users and Computers console
ď§ To script a user account, you need to be familiar
with at least one scripting language, such as
VBScript or Jscript
ď§ We can also cerate user account using power shell
21
22. ContâŚ
⢠It is very important to plan your user accounts before you
actually create them
⢠Parameters you need to consider while planning
â Naming conventions
â Password requirements
â Account options
⢠Naming conventions
â A good naming convention makes it easy for users to remember
their logon names
â Also provides for cases in which two users have the same name
⢠Password requirements
â Each user account will typically be assigned a password
â Passwords prevent unauthorized access to a domain or a computer
22
23. ContâŚ
⢠Account options
â It is also important to consider certain properties before you
create user accounts
⢠Log On To option specifies the computers to which a user can log
on
⢠Logon Hours section allows you to specify which hours of the day
and days of the week a user can log on
⢠Account Expires section allows you to predefine when a user
account will expire
⢠Active Directory Services Interfaces (ADSI)
â You can use ADSI to create scripts
â ADSI is a fully programmable automation object available for
administrators
⢠You can also create user accounts in batches from a .csv or an .ldif file
using the Csvde.exe or Ldifde.exe utilities
23
24. ContâŚ.
ďąLocal user accounts
â If you have administrative rights, you can use
the Local Users and Groups snap-in in the
Computer Management console
â From this console, you can create, delete, or
disable local user accounts on a local computer.
24
Local security database
25. ContâŚ
ďą Creating a Domain User Account
⢠You use a domain user account to log on to a domain and
access network resources
â You use the Active Directory Users and Computers
console to create domain user accounts.
25
Domain user account
26. ContâŚ
⢠Built-in user accounts are created by default during the
installation of Windows Server.
⢠Administrator built-in user account
â A user account for the system administrator.
â This account is the first account created during operating system
installation. The account cannot be deleted or locked out.
â It is a member of the Administrators group and cannot be removed
from that group.
â Used to perform administrative tasks
⢠Creating and managing user accounts
⢠Setting account properties
⢠Assigning permissions to user accounts to access
resources
â Used to gain access to network resources
26
27. ⢠Built-in Guest account
â Used to give users access to resources for a short time
â Is disabled by default
⢠Authenticated Users
â A group that includes all users whose identities were
authenticated when they logged on. Membership is
controlled by the operating system.
â This identity allows access to shared resources within
the domain, such as files in a shared folder that should
be accessible to all the workers in the organization.
⢠Backup Operators
â A built-in group. By default, the group has no members.
â Backup Operators can back up and restore all files on a computer,
regardless of the permissions that protect those files. Backup Operators
also can log on to the computer and shut it down
ContâŚ
28. ContâŚ
⢠Domain Admins
â A global group whose members are authorized to administer the domain.
By default, the Domain Admins group is a member of the Administrators
group on all computers that have joined a domain, including the domain
controllers.
â Domain Admins is the default owner of any object that is created in the
domain's Active Directory by any member of the group. If members of
the group create other objects, such as files, the default owner is the
Administrators group.
⢠Domain Users
â A global group that, by default, includes all user accounts in a domain.
When you create a user account in a domain, it is added to this group
automatically.
⢠Server Operators
â A built-in group that exists only on domain controllers. By default, the
group has no members.
â Server Operators can log on to a server interactively; create and delete
network shares; start and stop services; back up and restore files; format
the hard disk of the computer; and shut down the computer.
29. Setting User Account Properties
⢠Every user account you create has a set of default properties you can
configure
â Including personal information, logon settings, dial-in
settings, and Terminal Services settings for a user
â The personal properties you define for a domain user
account are useful when conducting user searches based
on very specific information
â Logon settings are used to specify the logon hours for a
user
â Dial-in settings for a user account are used to specify if
and how a user can make a dial-connection from a
remote location
â Terminal Services properties provide the ability to
connect to a server from a remote location
29
30. ContâŚ
⢠You can save a lot of time by filling out the common fields
shared between user accounts in a âtemplateâ account
â A template account is a disabled account that is
used as a model for creating other accounts
â After filling out the appropriate fields, you can
right-click the account and select Copy to create
a new account with most of your pre-defined
fields already filled in
30
31. Maintaining User Accounts
⢠As a System/network administrator, you must maintain user
accounts based on the needs of your organization
⢠Typical user account maintenance tasks
â Modifying user accounts
â Resetting passwords
â Unlocking user accounts
⢠You can modify user accounts in many ways
â Rename a user account
â Disable or enable a user account
â Delete a user account
⢠To modify user accounts, you need at least the Write permission
for the user account 31
32. ContâŚ
⢠You can reset passwords when a userâs password expires
before the user has a chance to change it
⢠In some cases, users might even forget their passwords
⢠You do not need to know the old password in order to reset
a password
⢠After the administrator or the user sets a password for a user
account, the password is not viewable to anyone, including
the administrator
⢠Windows Server can lock user accounts for users who violate
the account lockout policy
⢠In such cases, the user can either wait until the lockout period
expires (usually 30 minutes), or contact an administrator to
unlock the user account
32
33. ContâŚ
⢠To unlock a user account
⢠Open the Account tab on the Properties dialog box for the
user account
⢠Clear the Account is locked out check box
⢠It is important to understand that the Account is locked out
check box will be active only when the system has locked out
a user account
⢠You cannot manually lock out a user account
33
Unlocking a locked out account
34. ContâŚ
⢠Moving accounts within a domain
â You move an account within a domain to change the OU or
container in which the account is currently located
â This allows different delegated permissions and Group
Policies to apply to the account
⢠Planning password policy
â You use Group Policy to set the Password policy for your network
â Passwords should be memorable to your users, yet be completely
unrelated to them personally
â They should consist of uppercase and lowercase letters, numbers, and
special characters
â The length of the password is also extremely important, as a longer
password takes longer to hack using a dictionary or brute force
techniques
34
35. Group management
⢠Because managing access to network resources using
individual user accounts is unmanageable, you create group
objects to manage large collections of users at one time.
ďą Group Types
⢠When you create a new group object by using Active
Directory Users And Computers, you are given the choice
of creating a distribution group or a security group.
⢠The most commonly used type of group in Active Directory
is the security group.
ď§ A security group is a security principal and can be used to
assign permissions to network resources.
ď§ A distribution group you can send mail to the whole group
of users at one time, using distribution group.
35
36. Group management
ďą Group Scope
In Windows Server Active Directory, you can create groups
with three different scopes:
I. Domain local,
II. Global, and
III. Universal.
⢠Nested groups are groups that are members of other groups.
36
37. Group scope
Scope Group Membership Used to
Domain local
group
ď§User accounts from any domain in the forest
ď§Global groups or universal groups from any
domain in the forest
ď§ User accounts or global or universal groups
from any domain in a trusted Forest
ď§ Nested domain local groups from the local
domain
ď§ To assign access to
resources only in the
local domain
Global group ď§ User accounts from the domain where the
group is created
ď§ Nested global groups from the same domain
ď§ To assign access to
resources in all domains
in the forest, or between
trusted forests
Universal group
ď§ User accounts from any domain in the forest
ď§ Global groups from any domain in the forest
ď§ Nested universal groups from any domain in
the forest
ď§ To assign access to
resources in all domains
in the forest or between
trusted forests
37