1DV416

 –  Windowsadministration  I,  7.5hp  

MODULE  3  –  ACTIVE  DIRECTORY  

PART  2  
 Lecture  content  
Today's  lecture  
•  Active  Directory  
–  Installation  
–  Joining  the  domain  
–  Centralized  user  management  
•  OU  
•  ProJile  
•  Groups  
–  Additional  Domain  Controllers  
–  FSMO  
2013-­‐12-­‐10   ©  2013  Jacob  Lindehoff   2  
 Ac+ve  Direcotry  
•  Verify  the  NetBIOS  name  
•  Verify  TCP  /  IP  settings  
•  NTFS,  as  well  as  hard  drive  space  
•  Planning  of  the  logical  structure  
•  Planning  of  the  physical  structure  
•  Verify  existing  DNS  servers  
•  Add  Role  “Active  Directory  Domain  Services”  
•  Run  Post-­‐Setup  Wizard  to  Promote  to  DC  
•  Verify  DNS  service  
2013-­‐12-­‐10   ©  2013  Jacob  Lindehoff   3  
 Ac+ve  Directory  
•  Installation  
–  Name  
•  user@company.tld  or  user@company.local  
•  company\user  

2013-­‐12-­‐10   ©  2013  Jacob  Lindehoff   4  

 Ac+ve  Directory  
AD  and  DNS  
•  Sign  on  
•  Locate  
–  Global  Catalog  
–  Domain  Controller  
DNS  

Client   DC  

2013-­‐12-­‐10   ©  2013  Jacob  Lindehoff   5  

 Ac+ve  Directory  
What  is  the  purpose  of  the  Global  Catalog  
•  Optimization,  contains  parts  of  the  AD  
database  
•  A  GC  contains  several  domains  AD-­‐content  
–  all  objects,  not  all  attributes  
–  Table  of  content  for  directory  
•  Required  for  users  to  be  able  to  log  in  
•  Membership  of  universal  groups  
2013-­‐12-­‐10   ©  2013  Jacob  Lindehoff   6  
 Ac+ve  Directory  
Domain  user  Account:  
Replication  
DC  A   DC  B  
A  
AD   A  
B   AD   B  

kalmar.se  
Klient  
User:  A  

User:  B  
User:  A  
Member  server  
Client  
User:  B  

2013-­‐12-­‐10   ©  2013  Jacob  Lindehoff   7  

 Ac+ve  Directory  
User  Account  Template  
•  Create  an  account  template  for  accounts  with  similar  general  
information:  
•  Use  Copy  to  create  new  accounts   Individual  User  Account  
 
Individual  tasks:  
Name:  Donald  
Inactive   Name:  Johansson  
Template  Account   Login  Name:  dj22ay  
 
General  Information:  
Class:  NS   Individual  User  Account  
 
Location:  Teknikum  
Focus:  Data   Individual  tasks:  
Name:  Per  
Name:  Svensson  
Login  Name:  ps11ga  

2013-­‐12-­‐10   ©  2013  Jacob  Lindehoff   8  

 Ac+ve  Directory    
Home  folder:   Member  server  
User  As  home  folder  
Filserver  

  User  Bs  home  folder  

HD  
3.  
Client  
Client  
1.  
Domain  
User  A   2.   User  B  
DC  

AD  

2013-­‐12-­‐10   ©  2013  Jacob  Lindehoff   9  

 Ac+ve  Directory    
Login  Script  
•  Runs  when  the  user  logs  on  to  a  computer  
•  \\domainControler\NETLOGON  
•  Replicated  to  all  domain  controllers  
•  Only  Jile  name,  not  the  path  
•  Example  
–  mounts  
–  Printer  
–  etc.  
2013-­‐12-­‐10   ©  2013  Jacob  Lindehoff   10  
 Ac+ve  Directory  
User  ProJile  
•  Roaming  
•  Mandatory  
•  Use  Group  Policy  

2013-­‐12-­‐10   ©  2013  Jacob  Lindehoff   11  

 Ac+ve  Directory  
Organizational  Units:  
•  Sorting  and  organizing  
•  Apply  group  policies  
•  Delegate  administrative  control  

2013-­‐12-­‐10   ©  2013  Jacob  Lindehoff   12  

 Ac+ve  Directory  
What  should  I  use  OU  for?  
•  Organizing  
•  Delegation  of  administration  
•  Group  Policies  

How  should  you  build  the    

OU  structure?  
In  view  of  point  2  &  3  
Delegation     Group  Policies  
2013-­‐12-­‐10   ©  2013  Jacob  Lindehoff   13  
 Ac+ve  Directory  
Standard  containers  in  Active  Directory:  
•   Builtin  
•   Computers  
•   Domain  Controllers  (OU)  
•   ForeignSecurityPrincipals  
•   Users  

2013-­‐12-­‐10   ©  2013  Jacob  Lindehoff   14  

 Ac+ve  Directory  
PredeJined  User  Accounts  in  Active  Directory:  
•  Exempel  
–   Administrator  
–   Guest  
–   IUSR_servername  
–   IWAM_servername  
–   krbtg  
–   TsInternetUser  
2013-­‐12-­‐10   ©  2013  Jacob  Lindehoff   15  
 Ac+ve  Directory    
PredeJined  goups  in  built-­‐in  containern:  
•   Administrators  
•   Account  Operators  
•   Server  Operators  
•   Backup  Operators  
•   Print  Operators  
•   Users  
•  Replicator  
2013-­‐12-­‐10   ©  2013  Jacob  Lindehoff   16  
 Ac+ve  Directory  
PredeJined  groups  in  users  containern:  
•   Enterprise  Admins  
•   Schema  Admins  
•   Domain  Admins  
•   Group  Policy  Owners  
•   Domain  Users  
•   Domain  Guest  
•   Domain  Controllers  
•   Domain  Computers  
•   Cert  Publishers  
•   DnsUpdateProxy  
•   RAS  and  IAS  Servers  

2013-­‐12-­‐10   ©  2013  Jacob  Lindehoff   17  

 Ac+ve  Directory  
Implicit  groups  
•  Groups  representing  users  at  different  context  
•  Users  connect  automatically  
•  Can  not  be  manually  
•  Example  
–  Anonymous  Logon  
–  Authenticated  Users  
–  Creator  Owner  
–  Enterprise  Domain  Controllers  
–  Everyone  
–  Interactive  
–  Network  
–  Self  
–  Service  

2013-­‐12-­‐10   ©  2013  Jacob  Lindehoff   18  

 Ac+ve  Directory  
Domain  Groups:  
•  created  on  domain  controllers  
•  stored  in  Active  Directory   DC  
AD  

•  used  to  control  access  to  resources  

in  a  domain  

2013-­‐12-­‐10   ©  2013  Jacob  Lindehoff   19  

 Ac+ve  Directory  
Active  Directory  supports  three  group  types:  
Domain  local  groups  (Local  Domain)  
•  Authorize  within  a  single  domain  
•  Members  may  come  from  the  entire  forest  
Global  groups  (Global)  
•  Authorize  in  the  whole  forest  
•  Members  may  only  come  from  the  same  domain  as  the  group  
Universal  groups  (Universal)  
•  Authorize  the  whole  forest  
•  Members  may  come  from  the  entire  forest  

2013-­‐12-­‐10   ©  2013  Jacob  Lindehoff   20  

 Ac+ve  Directory  
There  are  two  different  group  ranges  of  group  types:  
•  Distribution  Group  
–  The  group  acts  as  an  e-­‐mail  list  
–  They  are  also  known  as  Distribution  Lists  in  Exchange  
–  Does  not  support  ACL  
–  Ignored  during  the  login  process  
•  Security  Group  
–  E-­‐mail  List  
–  You  also  can  apply  in  an  ACL  
–  All  security-­‐groups  controlled  during  the  login  process  
2013-­‐12-­‐10   ©  2013  Jacob  Lindehoff   21  
 Ac+ve  Directory  
Extra  domain  controller  
•  Redundancy    
•  Load  balance  
•  Remote/Branch  OfJices  
•  Installation  options  
–  DNS  
–  Global  Catalog  
–  RODC  
2013-­‐12-­‐10   ©  2013  Jacob  Lindehoff   22  
 Ac+ve  Directory  
Read  Only  Domain  Controller,  RODC  
•  Reduces  attack  surface  
–  Only  selected  password  is  replicated  
–  Read-­‐only  copy  of  the  domain  
•  Suitable  of  remote/branch  ofJice  
•  Can  be  installed  by  a  standard  user  

2013-­‐12-­‐10   ©  2013  Jacob  Lindehoff   23  

 Ac+ve  Directory  
Flexible  Single  Master  Operation  (Operation  Masters):  
•  Schema  Master  (scope,  the  whole  forest)  
•  Domain  Naming  Master  (scope,  the  whole  forest)  
•  PDC  Advertiser  (scope,  the  current  domain)  
•  RID  Master  (scope,  the  current  domain)  
•  Infrastructure  Master  (scope,  the  current  domain)  

How  many  roles  do  you  get  if  you  have  a  forest  with  12  domains?  
1  Schema  Master  
1  Domain  Naming  Master  
12  PDC  Advertisers  
12  RID  Masters  
+   12  Infrastructure  Masters  
38  FSMO  roles  

2013-­‐12-­‐10   ©  2013  Jacob  Lindehoff   24  

 Ac+ve  Directory  
Schema  Master  (scope,  the  whole  forest):  
•  modifying  the  Schema    
•  Schema  manager  
•  ntdsutil  
Domain  Naming  Master  (scope,  the  whole  forest):  
•  check  for  changes  in  the  namespace  
•  handles  adding  and  removal  of  domains  in  the  forest  
DC  
First  DC  in  the  forest  

The  Jirst  domain  controller  is  

By  default,  the  holders  of  the  
”  Schema  Master”  and  
”Domain  naming  master”  roles.  

2013-­‐12-­‐10   ©  2013  Jacob  Lindehoff   25  

 Ac+ve  Directory  
PDC  Advertiser  (scope,  its  own  domain):  
•  used  to  obtain  backward  compatibility  with  
Windows  NT  
Windows  NT  BDC   Windows  2000/2003    
PDC  Advertiser  
Windows  NT  BDC   Windows  2000/2003  DC  
Windows  NT  BDC   Windows  2000/2003  DC  

2013-­‐12-­‐10   ©  2013  Jacob  Lindehoff   26  

 Ac+ve  Directory  
 Flexible  Single  Master  Opera+on  
RID  Master  (scope,  its  own  domain):  
•  there  is  only  one  Relative-­‐IdentiJier  (RID)  per  
domain  
•  all  security  principals  in  one  domain  has  a  
Security  IdentiJier  (SID)  
•  System  uses  the  SID  
Exempel:  
SID  E-­‐1-­‐3-­‐12-­‐326   SID  Q-­‐2-­‐7-­‐99-­‐631  
SID  S-­‐1-­‐5-­‐32-­‐544  

2013-­‐12-­‐10   ©  2013  Jacob  Lindehoff   27  

 Ac+ve  Directory  
 Flexible  Single  Master  Opera+on  
RID  Master  (scope,  its  own  domain)  forts.:  
•  domain  controllers  have  512  RID  number  for  
own  use  
•  threshold  is  set  to  100  
•  RID  is  used  to  create  unique  SIDs  
DC  holding  
FSMO  role  RID  Master   DC   DC  

RID-­‐Pool  

2013-­‐12-­‐10   ©  2013  Jacob  Lindehoff   28  

 Ac+ve  Directory  
 Flexible  Single  Master  Opera+on  
Infrastructure  Master  (scope,  its  own  domain):  
also  known  as  "Infrastructure  Daemon"  is  used  to  maintain  references  to  objects  
in  other  domains,  known  as  "phantoms".  

Domain  controller  that  is  the  holder  of  FSMO  role  

"Infrastructure  daemon"  

A  
C1  
Members  in  group  C1  

B1   B2   B3  
B1   B2   B3   C1  
B   C  

1.   Ex:  There  are  three  user  accounts  in  domain  B  and  are  members  of  a  group  in  the  domain  C  

2.   "Infrastructure  daemon"  in  the  domain  C  is  used  to  refer  to  "phantoms"  in  domain  B  
user  accounts  

2013-­‐12-­‐10   ©  2013  Jacob  Lindehoff   29  

 Ac+ve  Directory  
Infrastructure  Master  

2.   2.  
1.  
DC  
DC,  with  the  global  catalog   DC,  with  ”Infrastructure  
Master”  role  

1.   Compare  name  data  in  the  global  catalog,  which  automatically  gets  
updates  from  all  objects  in  all  domains  and  therefore  have  no  incorrect  data.  

2.   ”Infrastructure  daemon”  updates  all  their  items  with  the  updates  that  it  can  Jind    
in  the  global  catalog,  and  then  replicate  the  changes  to  all  domain  controllers  in  its  own  domain.  

2013-­‐12-­‐10   ©  2013  Jacob  Lindehoff   30  

 Ac+ve  Directory  
Tools  for  the  administration  of  the  FSMO  roles:  
•  GUI  
–  Active  Directory  Users  and  Computers  (only  domain  roles)  
–  Active  Directory  Domains  and  Trusts  (only  DN  master)  
–  Active  Directory  Schema  (only  Schema  Master)  
•  Command  Tools  
–  NTDSUTIL  command  (all  roles)  
 
When  should  you  use  NTDSUTIL  and  ”Active  Directory  
Users  and  Computers”  
2013-­‐12-­‐10   ©  2013  Jacob  Lindehoff   31  
 Ac+ve  Directory  
Who  has  permission  to  move  the  FSMO  roles?  
FSMO  Role     Member  of  
Schema   Schema  Admins  
Domain  Naming   Enterprise  Admins  
RID  
PDC  Emulator   Domain  Admins  
Infrastructure  

2013-­‐12-­‐10   ©  2013  Jacob  Lindehoff   32  

 FSMO-­‐role  
•  Who  holds  the  role?  
•  How  do  you  move  a  role?  

2013-­‐12-­‐10   ©  2013  Jacob  Lindehoff   33  

 Ac+ve  Directory  
Slow  boot  -­‐  DC  
•  Active  Directory  Initial  Synchronization  Requirements  
–  DCs  have  any  FSMO  role  
–  AD  replication  
–  Have  FSMO  role  been  moved?  
•  This  feature  can  be  turnend  off  during  testing  
–  regedit  
–  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\  
Services\NTDS\Parameters]    
–  "Repl  Perform  Initial  Synchronizations"=dword:00000000  
–  http://bit.ly/4xB6Sm    

2013-­‐12-­‐10   ©  2013  Jacob  Lindehoff   34