Managing Active Directory is usually handled through the Microsoft Management Console (MMC) and its snap-ins. You can pretty much right-click on any object to configure its properties. It’s a good idea to wander around and explore all the snap-ins and the objects they manage.
Creating new objects is almost as easy. Most objects can be created using the pull-down menus in the MMC or through right-clicking on a container or parent object. If you follow along with all the step-by-step instructions in this chapter, you’ll have a good idea of what day-to-day administration of Active Directory is like.
Because every component in Active Directory is an object and most objects are managed through the MMC, you’ll be using this tool several times a day, every day, if you manage an Active Directory environment.
As you add more and more objects to the Active Directory database, efficient replication of information on the network becomes more important. The best replication strategy is often divide and conquer.
There are two main types of replication in Windows 2000, intrasite and intersite:
- Intrasite replication
The replication of data within a single site
- Intersite replication
The replication of data between two or more sites
Domain controllers need to pass information back and forth to keep network information up-to-date. Sites are used to maximize replication speed among domain controllers. You can have many sites in a single domain, or a single site can span multiple domains. The main requirement for a site is that the domain controllers have fast network connections to each other.
Sites replicate by informing their replication partners that they have a change. Because speed is the main consideration in setting up a site, this replication occurs whenever it is necessary and not after a default interval. If site replication traffic is bogging down your network, consider reconfiguring the sites or installing faster network connections.
After you’ve drawn a network map of all your domain controllers and determined the interconnectivity speeds, you can start adding replication sites. Use the following steps to add a new site:
Choose Start → Programs → Administrative Tools → Active Directory Sites and Services. The Sites and Services Console is now displayed, as shown in Figure 13-2.
Right-click on the Sites folder and choose New Site.
You’ll see the New Object -- Site screen. Type in a name for the site.
Choose a site link object from the list (which may contain only one choice) and click the OK button.
Repeat the relevant steps until you’ve created site links for your entire network.
TCP/IP networks are divided into smaller networks, called subnets , for easier management. Usually domain controllers on the same subnet or bordering subnets are part of the same site.
If you’re already familiar with TCP/IP addressing, you can create your own subnets and start associating sites with your new subnets. You can create your own subnet using the following steps:
Choose Start → Programs → Administrative Tools → Active Directory Sites and Services.
Double-click on the Sites folder.
Right-click on the Subnets folder and choose New Subnet.
You’ll see the New Object -- Subnet screen.
Type in the IP address for the new subnet and the subnet mask, which will determine how many addresses are included in the subnet.
You’ll see a list of the existing sites; choose the site you want to associate with the new subnet.
Before two or more sites can begin to replicate data, you have to establish a site link between them. After you’ve created at least two sites, you can set up a site link between them. If you need to, you can also add another DC to an existing site by adding another link to the site. Use the following steps to create a site link:
Choose Start → Programs → Administrative Tools → Active Directory Sites and Services.
Double-click on the Inter-Site Transports folder. Right-click on the TCP/IP folder and choose New Site Link.
You’ll see the New Object -- Site Link screen. Type a name for your new site link.
Choose at least two sites and click the OK button.
After you’ve created a site link, it’s easy to add a new site to the existing link or remove a site from the link. Use the following steps to perform either function:
Choose Start → Programs → Administrative Tools → Active Directory Sites and Services.
Double-click on the Inter-Site Transports folder. Right-click on the TCP/IP folder and choose Properties.
Under the General tab, look inside the Sites Not in This Site Link box for the site you want to add to the site link.
Choose the site you want to add, press the Add button, and then press OK.
If you have the opportunity to have multiple connectivity options between domain controllers in a site, such as an Ethernet connection and a RAS connection, you can set up a redundant site link.
In the case of an RAS and an Ethernet connection, the Ethernet connection would be much faster under almost any circumstances. You can assign a value to each connection, called a site link cost. Of the available site links, Windows 2000 will automatically use whichever link is cheapest. You can configure a site link cost by using the following steps:
Choose Start → Programs → Administrative Tools → Active Directory Sites and Services.
Double-click on the Inter-Site Transports folder.
Double-click on the TCP/IP folder.
Right-click on the proper site link and choose Properties.
You’ll see the Site Link Properties screen.
The default cost for all links is 100. Type in a new cost in the Cost box to reflect the priority of the link. The lower the cost, the higher the priority.
If you add more than two sites to a site link, the costs of the individual connections are bridged. The entire site link is considered one connection, and the individual sites will automatically find each other for replication purposes. This assumes all the sites in a site link are using the same protocol (TCP/IP).
If you’re using more than one connection protocol between sites in a site link or if the sites in a site link can’t reach each other across the TCP/IP network because of a routing issue, you can manually create a bridge between sites.
If sites are all able to see each other, the site link is transitive . This should be the case unless you have very specific reasons for not configuring your network this way. If they need a site link bridge set up so they can replicate, the site link is referred to as intransitive.
You can set up a site link bridge by using the following steps:
Choose Start → Programs → Administrative Tools → Active Directory Sites and Services.
Double-click on the Inter-Site Transports folder.
Right-click on either the TCP/IP or SMTP folder and choose New Site Link Bridge.
You’ll see the New Object -- Site Link Bridge screen. Type in a name for the new site link bridge.
Choose at least two sites to add to the site link bridge and click the OK button.
Any domain controller can be used for intersite replication. If you have some domain controllers with particularly fast network connections, you can give them priority in the replication process. The server that will have the highest priority is called a bridgehead server .
If your network has a firewall between replicating sites, you’ll have to specify a preferred bridgehead server to ensure replication is successful. The firewall proxy server can receive replication data and pass it to domain controllers inside the firewall.
You can have more than one bridgehead server for a site, but only one at a time will be considered the preferred bridgehead server . You can configure a preferred bridgehead server by using the following steps:
Choose Start → Programs → Administrative Tools → Active Directory Sites and Services.
Right-click on the domain controller you want to make the preferred bridgehead server and choose Properties.
You’ll see the Domain Controller Properties screen. Look for the Transports Available for Inter-Site Data Transfer box.
Choose the intersite transport or transports on the list that the DC will be a preferred bridgehead server for.
Click the Add button and click OK.
Replicating data between domain controllers within the same site is called intrasite replication. Active Directory automatically creates a virtual ring topology to handle intrasite replication. A virtual ring isn’t necessarily physically wired in the ring topology, but data is passed from one computer to the next in a set order.
Replication data is passed between the participating domain controllers in the same direction around the ring until a failure occurs. If a domain controller is unable to participate in the replication process, traffic is automatically routed around it and continues with the next available domain controller.
Active Directory will recognize if a domain controller is added to or removed from a site and automatically adjust the ring’s topology. To ensure the best performance, Active Directory will periodically look for a more efficient way to pass data among the domain controllers in a site. If it finds one, the replication path is automatically updated.
The global catalog is a database of object attributes for the entire Active Directory forest. The global catalog is automatically initialized on the first domain controller in a forest. This computer is called the global catalog server .
The global catalog will contain all the attributes for every object in its own domain. For other domains in its tree and forest, it contains a partial list of the most frequently used attributes of the rest of the objects in the forest.
The two main purposes for the global catalog are to respond to requests for object information and to provide domain controllers with authentication information. When a program wants to open a file and the relevant information isn’t provided by the local domain controller, that DC asks the global catalog server what the file’s attributes are, such as: name, size, location, and permissions. Based on the results, the program can determine what to do next.
Users can log on from any computer in the forest, regardless of physical location. This is made possible because the global catalog server provides logon information to the local domain controller attempting to log the user on. If the global catalog server is down, users can only log on locally to computers for which they have the required permissions.
Global catalog servers can generate a lot of network traffic because they have to constantly deliver information about every object in the forest whenever it’s requested. Although it’s a good idea to have multiple global catalog servers for both reliability and load balancing, be sure the server has a high-bandwidth connection.
The best way to break down a Windows 2000 domain into manageable sections is through the Organizational Unit (OU) structure. Each unit can reflect the actual departmental breakdowns inside your organization. You can assign user accounts, folders, physical equipment, and any other object to a specific OU. You can then assign permissions to the OU. If a user switches departments, you can move them to the new OU and they will inherit the new OU’s permissions.
Organizational Units are arranged in a hierarchy. This can start as a simple geographic breakdown and layer down into departments within each location. You can have as many layers as you’d like, but fewer layers make managing the OU proportionally easier.
You can create a different OU structure for every domain in the forest. The most logical way to design your OU structure is to match the real departments and jobs in your organization to each OU.
Because the OU structure is hierarchical, you can create a flowchart of the departments and use it as a map when creating an OU hierarchy. To create a new OU, use the following steps:
Be sure you’re logged on as an administrator. Choose Start → Programs → Administrative Tools → Active Directory Users and Computers.
Choose to create either a new OU in the domain or a sub-unit of an existing OU.
Choose Action → New → Organizational Unit.
You’ll see the New Object -- Organizational Unit screen. Type a name for the OU and click on the OK button.
Repeat the relevant steps until you’ve created a complete OU structure for your organization.
After you’ve taken the time to simulate the actual structure of your organization with an OU hierarchy, you can begin to customize each OU to fit the security and accessibility needs of your users. You can configure an OU by using the following steps:
Choose Start → Programs → Administrative Tools → Active Directory Users and Computers.
Click the plus sign next to the proper domain name to see which Organizational Units are available.
Right-click on the OU and choose Properties.
Choose one of the three configuration tabs (General, Managed By, or Group Policy). These tabs are described in more detail in Table 13-1.
Configure the OU and click the OK button when you’re finished.
Table 13-1. Organizational Unit Properties
|
Tab |
Available Properties and Their Uses |
|---|---|
|
General |
Contains a general description and geographical location. Filling in these properties accurately is useful when doing a keyword search for Organizational Units. |
|
Managed By |
Contains the contact information for the department head of the OU. Keeping these properties up-to-date will make contacting a user easier if there is a security or maintenance problem with his or her account. |
|
Group Policy |
Contains information about the Group Policies assigned to the OU. This information will make the future assignment of policies to similar Organizational Units easier. |
Because Active Directory can hold millions of objects, the task of managing all of them can become quite daunting. The best way to deal with all the objects is to name them consistently, store them in Organizational Units, and assign policies and permissions to groups of objects, rather than individually.
Every object in the Active Directory database has at least one unique name to separate it from every other object. To manage all the different types and locations of objects, a few related naming schemes are used in Active Directory. They’re all fairly straightforward, so you should have no trouble using them.
Underneath all the descriptive names an object may have, a unique 128-bit number, called a globally unique identifier (GUID), is permanently associated with every object. This number remains constant for the life of the object, regardless of other changes to the object’s name or location.
DNS allows people to assign memorable names to computers that are really identified by unique 32-bit IP addresses. The same is true for Active Directory, which allows a user-friendly distinguished name (DN) to be mapped to the GUID. It would be difficult to remember a long GUID like the above sample, but it’s easier to remember an account name like kirtb or a folder called payroll.
A distinguished name includes not only the user-friendly name of the individual object, called a common name (CN), but its entire path in the directory. This path can consist of a domain component (DC) (like oreilly.com), several hierarchical Organizational Unit (OU) names (like employees and its subdivision, editors), and, finally, by the user-friendly portion of the distinguished name. So, the entire DN might look like: oreilly.com/employees/editors/katie. If Katie decided to work in the production department for a few months, her account’s DN would change, but the underlying GUID would remain the same.
If two objects have the same common name, it’s not a problem so long as they’re in different Organizational Units. Their distinguished names would be different because the OU portion of their paths wouldn’t be the same.
There is one other type of name, called a user principal name (UPN). It’s a user-friendly name, usually comprised of part or all of a user’s real name. This type of naming scheme is often used for email addresses. These must be unique to the domain to avoid confusion.
There are two major types of user accounts in a Windows 2000 network, local user accounts and domain user accounts. Both types of accounts are objects in the Active Directory environment:
- Local user account
Grants access to resources that are on the local computer where the account was created
- Domain user account
Grants access to resources throughout the entire network, as long as trust relationships exist between domains
You can set up local user accounts on computers that aren’t yet connected to the rest of the network or on mobile systems, which are often used without a network connection, yet still need some form of security. When you create a local user account, the password is stored only on the local computer.
Most of the time, the best solution is to create a domain user account. This will allow the greatest flexibility in accessing resources. To take full advantage of domain user accounts in Active Directory, you should store user accounts within an OU.As long as you are logged in as an administrator for the local machine, you can create a new local user account by using the following steps:
Choose Start → Programs → Administrative Tools → Computer Management. This opens the MMC snap-in shown in Figure 13-3.
Click the plus sign next to the Local Users and Groups snap-in.
Right-click on Users and select New User.
You’ll see the New User screen. Configure the account with a username, password, and whatever other details you need.
As long as you are logged in as an administrator for the domain, you can add a new domain user account by using the following steps:
Choose Start → Programs → Administrative Tools → Active Directory Users and Computers.
Double-click on the correct domain and right-click on Users.
Choose New and then choose User.
You’ll see the New Object -- User screen. Be sure to fill in both the User Logon and User Logon Name (pre-Windows 2000), if the user will be logging into the domain from any version of Windows other than 2000.
Click the Next button and configure the password and password options.
Click the Finish button.
All objects have descriptive properties, called attributes . When you search for an object, you’ll really be searching for one or more of the object’s attributes that make it unique in the network. Some common attributes are: Name, Organizational Unit, and Description.
There is a tool called Find to help you search for objects in the Active Directory. If you’ve used an Internet search engine, you’ll be prepared for using the Find program. You can start Find by using the following steps:
Choose Start → Programs → Administrative Tools → Active Directory Users and Computers.
Right-click on the smallest container you think might contain your object and choose Find.
You’ll see the Find Users, Contacts and Groups screen. Fill in whatever you know about the object and click the Find Now button.
You can either move objects within a domain or between domains. There are different rules that apply to each type of move. Moving objects within a domain is far less complex and error prone. You can move an object within a domain by using the following steps:
Choose Start → Programs → Administrative Tools → Active Directory Users and Computers.
Highlight the object you want to move and choose Action → Move.
Choose the destination OU and click the OK button.
There are only a few simple rules for moving an object within a domain:
You can move more than one object at a time.
Objects lose permissions that they inherited from their former OU and inherit permissions from their new OU.
Permissions directly applied to the object itself remain unchanged.
You can also move objects between domains. The best way to do this is by using the MOVETREE program, which is included on the Windows 2000 installation media. It can be used to move just about any object, with a few notable exceptions, like system objects and domain controllers. Common objects, like users, groups, files, and folders can be moved easily between domains. MOVETREE is a command-line program with many options, which are described in Table 13-2.
Table 13-2. MOVETREE Command Options
|
Option |
Description |
|---|---|
|
|
Brings up the MOVETREE help file |
|
|
A trial run that tests the move without actually moving the objects |
|
|
Continues a paused or stopped MOVETREE operation |
|
|
Runs a check operation and then actually performs the move |
|
|
Executes the move operation without performing a check |
|
|
Reports progress during the move operation (useful for both troubleshooting and learning about what’s happening) |
Users will look in the Active Directory for all the resources that are available to them on the network. Some items, such as a Windows 2000 network printer, are visible in the directory automatically, just by physically installing them on the network. Other items, like shared folders and user accounts, have to be published by a network administrator to be seen in the Active Directory.
Different types of objects are published in different ways. Most common items, such as user accounts, shared folders, and legacy NT printers, are published using the Active Directory Users and Computers snap-in. The most common item you’ll probably have to publish is a shared folder. Use the following steps to publish a shared folder in the Active Directory:
Choose Start → Programs → Administrative Tools → Active Directory Users and Computers.
Choose the domain you want the shared folder to be in.
Right-click on the container you want to hold the folder.
Choose New → Shared Folder.
You’ll see the New Object -- Shared Folder screen. Fill in a name for the folder and type the UNC path that you want the shared folder to point to.
The most flexible way to secure resources in a Windows 2000 network is through permissions. Permissions describe which actions are available to a user or group. There are several types of permissions that can be assigned. The five most common permissions are described in Table 13-3.
Table 13-3. Windows 2000 Permissions
|
Permission |
Function |
|---|---|
|
Read |
View an object and its properties, such as its owner and permissions, without changing them |
|
Write |
Modify an object without changing its owner or permissions |
|
Full Control |
Includes Read and Write permissions and adds the ability to modify, delete, take ownership, and change permissions |
|
Create All Child Objects |
Add any object to an Organizational Unit |
|
Delete All Child Objects |
Remove any object from an Organizational Unit |
Windows 2000 stores permission information for every object in a file called the Access Control List (ACL). This ACL is the same file that is used to store NTFS permissions. Active Directory will automatically recognize NTFS permissions and use the Windows 2000 equivalents.
It is easier to assign permissions to groups of users, rather than to each individual user. A user’s permissions will be a combination of their individual permissions plus any permissions assigned to any group the user belongs to. Permissions can be either granted or denied on an object-by-object basis.
Because Active Directory lists all the objects in one hierarchical directory and permissions can be inherited, assigning permissions is a straightforward process in Windows 2000. Most permissions can be assigned by using the following steps:
Choose Start → Programs → Administrative Tools → Active Directory Users and Computers.
Choose View and make sure Advanced Features is selected.
Click once on the object you want to assign permissions for.
Choose Action → Properties, then choose the Security tab.
Click on the Add button, choose the group you’re assigning permissions for, and then place checkmarks in either the Allow or Deny boxes for the desired permission.
The five permissions discussed in Table 13-3 are called standard permissions . These are used most often. If you need to control access in a more specific way, there are many more permissions available, called special permissions . If you’d like to see the special permissions for an object, follow the first four steps listed earlier and continue on with the following steps:
In the Security tab, click the Advanced button.
You’ll see the Access Control Settings screen. Choose the object you want to modify and click the View/Edit button.
Add or remove checkmarks for the appropriate special permissions.
An efficient Active Directory Organizational Unit structure will closely mirror the company’s departmental structure. To ensure security throughout the network, many tasks, such as backing up or deleting files, can only be performed with the administrator’s account. To make an OU run more efficiently, permissions usually assigned only to an administrator can be delegated to a departmental manager.
This will allow departments to work much more independently and quickly, without a major change to the level of security. As long as each manager can be trusted and protects their account, there is no downside to shifting some administrative control to local managers.
Windows 2000 allows you to individually assign permissions to each object in the Active Directory. However, it is often easier to manage permissions if they are assigned to an OU, rather than an individual, or to a folder, rather than a file. You can distribute control by using the Delegation of Control Wizard.
The wizard will walk you through giving a user or group of users permission to perform tasks or control objects that they wouldn’t normally have access to. You can start the wizard by choosing Start→ Programs→ Administrative Tools→ Active Directory Users and Computers. Select the object you want to delegate control for and choose Action→ Delegate Control.
Most companies have several departments, and each department requires its users to use a specific group of programs. The accounting department will use billing software, and technical support will use a database to keep track of service requests. You can customize each department’s Windows desktop to reflect their individual needs by assigning Group Policies.
Group Policies are used for both convenience and security. Before you actually start creating Group Policies, you should take an inventory of which programs each department or OU will need to have available and any other settings they’ll need.
A Group Policy Object is the container that stores the Group Policy settings. There are two types of Group Policy Objects, local and non-local:
- Local GPO
Every Windows 2000 computer has one local GPO to store its default settings, regardless of whether or not it is connected to a Windows 2000 network.
- Non-local GPO
These are applied to either users or computers and take precedence over a computer’s local GPO. Non-local GPOs can control settings on a domain, OU, or site level. Permissions are cumulative.
There is a Group Policy snap-in for the Microsoft Management Console. You can access the snap-in in several different ways, depending on which type of GPO you want to configure. Use the information in Table 13-4 to determine the best way to open the Group Policy snap-in.
Table 13-4. Group Policy Snap-In
|
Type of GPO |
How to Open the Snap-In |
|---|---|
|
Local GPO for the current computer |
In the MMC, choose Console → Add/Remove Snap-In. Click on the Standalone tab, and press Add. Then click on Group Policy, Add and be sure the local computer is visible. Click Finish, Close, OK. |
|
Local GPO for a remote computer |
Same as above, except instead of looking for the local computer, browse the network for the remote computer. |
|
Non-local GPO for an OU or a domain |
Choose Start→ Programs→ Administrative Tools→ Active Directory Users and Computers. Right-click on the OU or domain, choose Properties, and click on the Group Policy tab. Choose either New for a new GPO or Edit to modify an existing GPO. |
|
Non-local GPO for a site |
Choose Start → Programs → Administrative Tools → Active Directory Sites and Services. Right-click on the site, choose Properties, and click on the Group Policy tab. Choose either New for a new GPO or Edit to modify an existing GPO. |
Group Policies apply to either a computer’s settings or a user’s settings. Computer configuration settings apply to the physical machine regardless of which user is logged in to it. User configuration settings apply to the user and roam with the user to any computer they log in to on the network. There are three main types of settings that can apply to either computer or user configuration settings: Administrative Templates , Software Settings , and Windows Settings .
Administrative Templates contain policy settings for network configuration, logon and logoff settings, and several Windows programs, such as Internet Explorer, MMC, and the task scheduler. These can apply to both the user and the computer.
Some settings will apply to only the computer or only the user. Settings that apply only to the computer include: disk quotas, DNS settings, and printers. Settings that apply only to the user include modifications to the Control Panel, desktop, Start menu, and taskbar. There are more than 400 settings that are controlled by Administrative Templates.
Software Settings control how software is installed. These settings can provide a framework for third-party vendors to determine how their software is installed in Windows 2000. By default, Software Settings only control software installation issues; after software is installed, it can be controlled by other Group Policies that apply to a domain, an OU, or a site.
There are two ways to manage applications after they are installed in an Active Directory environment. A program can be assigned to a computer or published to a group of users:
Windows Settings are divided into two groups, scripts and security. These settings apply to both user and computer settings. There are two types of scripts, logon/logoff and startup/shutdown:
- Startup/shutdown
Run when the computer is booting up or shutting down
- Logon/logoff
Run when a user is logging on or off of the computer
The security settings portion of the Group Policy Windows Settings can be used as an alternative to using an Administrative Template. These settings can be applied to local and non-local GPOs. Windows Settings that apply only to users include policy settings for folder redirection, Internet Explorer maintenance, and Remote Installation Services.
In Active Directory, there is a hierarchical structure for all objects. A parent container, such as a folder, can have child containers, such as subfolders. Group Policies are inherited by default, but there are a few exceptions. A setting specifically applied to a child object overrides only that particular inherited setting. Other settings that were inherited remain in place. Different types of objects can have different types of settings, so only mutual categories of settings can be inherited.