ACTIVE DIRECTORY

WHERE IT ALL GOES DOWN!!

WHAT A DOMAIN CONTROLLER DOES

• DCs create logical containers

• These containers organize a server
• Containers also make it easier to manage a server
DCS

• You should have mote than one DC

• DCs provide redundancy
• DCs provide falt tolerance
• DCs provide load balancing
AD IS A DIRECTORY SERVICE

• AD is used to create logical Containers

• Its performance is affected by
• server hardware
• Network capabilities
• Also type of WAN connection
• Be sure to test AD before implementing in live enviorment
ADDING DCS

• Installation considerations
• Use static IP address
• If adding to existing domain use domains’’s DNS server
• Don’t allow the computer to add one automatically
ADDS

• Adding the ADDS role dosen’t auto make the server a DC T or F

• Adding the ADDS role only preps the server for the conversion process T or F
• Once the ADDS role is installed, the server can not be promoted to a DC T or F
PROMOTING TO A DC

• After the ADDS role, the ADDS installation wizard automatically comes up
• Create a new forest with a DC
• New DCs can be added to existing domains
• Child domains can be created in existing domain
LAB

• Create child DC in existing domain

• Check to make sure you did the lab correctly
REMOVING A DC

Using the Remove roles and features wizard

Using PowerShell
Uninstall-ADDSDomainControler –ForceRemoval –LocalAdministratorPassword <password> - Force
REMOVE YOUR AD DS - LAB

• Add roles and features

• Don’t forget to demote server
• First demote
• Then remove ADDS and DNS
DNS AND AD DS

• DNS is essential to ADDS

• The DNS record is
• used to locate DCs
• Used to locate ADDS
• ADDS needs access to DNS because registration is handled auto upon creation
REGISTRATION CONCERNS

• Failed registration can have negative effects

• Computers can’t use the controller to join the domain
• Existing domain members wont be able to log on
• DCs can’t replicate with a failed controller
TESTING REGISTRATION

• Registration can be tested with a CLI command

• Dcdiag /test:registerindns /dnsdomain:<domain name> /v
CONFIGURATION OPTIONS OF DNS

• Install DNS services on the computer being configured

• Or
• Host the DC on a different DNS server
USER OBJECTS

• User accounts are the main means of accessing AD resources

• There are several types of accounts:
• Local users
• Can only access resources on current computer

• Are not replicated to other computers

• No access to AD
USER OBJECTS
• Domain users
• Access to AD
• Replicated to other computers
• Built-in accounts
• Auto created on server 2012
• Admin
• On a stand-alone server, this account has full control of files on the local server
• On a DC, this account has full control of the entire domain
• On either server, this account cannot be deleted, but it can be renamed or disabled.
• Guest acct.
• Can be local or domain users
• Stand alone servers: local user accounts
• DCs; domain user acct
SECURITY GUIDELINES
• Admin acct.
• Rename the Admin account
• Set a strong password on the admin acct
• Limit how who knows acct PW
• Don’t use it for daily, non admin tasks
• Guest acct.
• Is intended only to provide temp network access
• Cannot be deleted
• Is disabled by default
• Not assigned a default password
• Create unique accounts for temp users
• Rename the guest account after enabling it to be used
• Don’t use the acct name GUEST for temp users
• Set strong passwords
CREATE USERS

• Tools
• AD u and c
• Or
• Administrative center
CONT

• User 1
• User 2
• User 3
• User 4
LAB CONT.

• Create a user template

• Should we remove users when they are no longer with our organization?
COMPUTER OBJECTS

• AD tracks everything on a network.

• Two things are needed to access a domain:
• A user account and password
• A recognized computer object
COMPUTER OBJECTS STORED IN AD

• Computer object specifications

• Define the properties of a computer
• Specify the computers name
• Specify where the pc is located
• Specify who is able to use computer
CONT.

• Computer objects inherit group policy settings

• Computer objects can be members of groups
• Members of groups will inherit group permissions
COMPUTERS PRIMARILY AUTHENTICATED

• Netlogon on the client contacts netlogon on the domain

• Once verified, a channel is opened between computers
• A secure channel is used to connect to the domain
• The client must have a user account in the domain
CREATE COMPUTER OBJECTS LAB

• Computer 1
• tools
• Computer 2
• AD
• Computer 3
• template
DISABLE USER ACCOUNT

• Disable an acct.
• Look at the down error
WHAT ARE ORGANIZATIONAL UNITS?

• OUs are objects created to manage inheritance in AD

• By default, only 1 OU is called the DCOU
• All other Ous must be created separately
• Ous are not considered security priccipals
• You cannot assign access permissions based on Ous.
• Groups are special Ous that allow assigning permissions
DECENTRALIZED ADMIN

• You can assign user admin rights to an OU

• This allows ther user to do admin tasks on the assigned OU.
• This won’t allow the user to do admin tasks on the whole domain
• This minimizes the number of users with global admin rights
• This limits the damage to a single OU if a mistake is made
CREATE OU LAB

• Create Ous
• Delegate control of OU
WORKING WITH GROUPS

• Groups are collections of users

• Can contain other AD objets
• Work as security principals
• Assign permissions to a large number of users
• Can be members of more than one group
GRANTING RIGHTS

• Groups give rights to multiple users

• You can assign user access to a specific resource by adding that resource to a group
• You can change or remove acess for all users in a group at one time by removing that resources from
the group