Windows Server Administration/Active Directory

This lesson covers Active Directory. Activities include creating and managing domains, user accounts, and groups.

Objectives and Skills
Objectives and skills for the Understanding Active Directory portion of Windows Server Administration Fundamentals certification include:
 * Understand accounts and groups: domain accounts; local accounts; user profiles; group types; group scopes; group nesting; AGDLP
 * Understand organizational units and containers: purpose of organizational units; purpose of containers; delegation; default
 * Understand Active Directory infrastructure: domain controllers; forests; operation masters roles; domain vs. workgroup; child domains; trusts; functional levels; namespace; sites; replication

Readings

 * 1)  Windows domain
 * 2)  Active Directory
 * 3) Active Directory: Guide to Terminology, Definitions & Fundamentals!
 * 4)  Organizational Unit
 * 5)  AGDLP
 * 6) Microsoft: Forests - basic explanation
 * 7) Active Directory Forest – What is AD Forest?
 * 8) Microsoft: Domain Trees

Multimedia

 * 1) YouTube: Learn Microsoft Active Directory
 * 2) YouTube: Setting up Active Directory in Windows Server 2019 (Step By Step Guide)
 * 3) YouTube: Windows Active Directory Users and Groups
 * 4) YouTube: Active Directory forest and trees

Activities

 * 1) Review How to Setup a New Active Directory 2016 or 2019 Forest/Domain.  Add the Active Directory Domain Services role and create a new forest.
 * 2) Review How to Add a Child Domain on Windows Server 2016. If you have a second server available, add the Active Directory Domain Services role and add a child domain to the forest. This should be the same steps if using Windows Server 2019.
 * 3) Review  Organizational unit (computing).  Create organizational units.
 * 4) Review How to Delegate Control in Active Directory Users and Computers.  Delegate control of an organizational unit.
 * 5) Review Security Account Manager.  Create user accounts in the organizational units.
 * 6) Review Naming Conventions in Active Directory.  Create global groups to organize user accounts.  Add users to the groups.  Create domain local groups to organize resources.  Add global groups to the domain local groups.  Add the domain local groups to resources.

Lesson Summary

 * Active Directory (AD) is a directory service implemented by Microsoft for Windows domain networks. An AD domain controller authenticates and authorizes all users and computers in a Windows domain network, assigning and enforcing security policies for all computers and installing or updating software.


 * A schema defines the types of objects and the characteristics and information that the objects represent which can be stored in an Active Directory database.


 * A forest is a collection of one or more trees that share a common global catalog, directory schema, logical structure, and directory configuration.


 * A tree is a collection of one or more domains in a contiguous namespace, linked in a transitive trust hierarchy.


 * A domain is defined as a logical group of objects (computers, users, devices) that share the same Active Directory database.


 * Domains are identified by their DNS name structure, the namespace used for Active Directory.


 * Trusts allow users in one domain to access resources in another domain.


 * Trusts between a parent and child domain are automatically created when the child domain is created.


 * Domain controllers are servers that have the Active Directory Domain Services role installed and host an Active Directory database for a given domain.


 * Sites are collections of well-connected subnets in a given geographic location.


 * Replication copies changes on one domain controller to all other domain controllers hosting the same Active Directory database (meaning within in the same domain).


 * The Knowledge Consistency Checker (KCC) service creates a replication topology of site links using the defined sites to manage traffic.


 * Intrasite replication is frequent and automatic as a result of change notification, which triggers domain controllers to begin a pull replication cycle.


 * Intersite replication intervals are typically less frequent and based on elapsed time rather than change notification.


 * Although most domain changes can be made on any domain controller, certain operations are supported only on a single server. These servers are designated operation masters (originally Flexible Single Master Operations or FSMOs).  The operation master roles are Schema Master, Domain Naming Master, PDC Emulator, RID Master, and Infrastructure Master.


 * The functional level of a domain or forest controls which advanced features are available in the forest or domain. Separate functional levels are available for Windows Server 2016 and 2019.  Forests and domains should be set to the highest functional level all domain controllers support.


 * Containers are used to group Active Directory objects for administrative purposes. The default containers include the domain itself, Builtin, Users, Computers, and Domain Controllers.


 * Organizational Units (OUs) are object containers that support both administrative delegation and the application of Group Policy objects and are used to provide an administrative hierarchy to a domain.


 * In a domain, the Active Directory database is used to authenticate users and computers for all computers and users in the domain. The alternative configuration is a workgroup, in which each computer is responsible for authenticating its own users.


 * Domain accounts are stored in the Active Directory database and available to all computers in the domain. Local accounts are stored in the Security Account Manager (SAM) database on each local computer and available only to that computer.


 * Active Directory supports two types of user groups: distribution groups and security groups. Distribution groups are used for email applications such as with Microsoft Exchange.  Security groups are used to group user accounts for applied rights and permissions.


 * Active Directory groups may be created with Universal, Global, or Domain Local scope. Universal groups can contain any account in the forest and can be assigned to any resource in the forest.  Global groups can contain any account in the domain and can be assigned to any resource in the forest.  Domain local groups can contain any account in the forest and can be assigned to any resource in the domain.


 * Universal groups can contain other universal groups and global groups from the forest. Global groups can contain other global groups from the same domain.  Domain local groups can contain universal and global groups from the forest and other domain local groups from the same domain.


 * The Microsoft-recommended approach to account and resource management is to use global groups to organize users and domain local groups to organize resources. That is, to place accounts into global groups, place global groups into domain local groups, and give domain local groups permissions to access resources, also referred to as AGDLP.

Key Terms

 * access control
 * The selective restriction of access to a place or resource.


 * authentication
 * The act of confirming the truth of an attribute of a datum or entity, such as a person's identity.


 * authorization
 * The function of specifying access rights to resources, which is related to information security and computer security in general and to access control in particular.


 * Kerberos
 * A computer network authentication protocol which works on the basis of "tickets" to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.


 * Lightweight Directory Access Protocol (LDAP)
 * An application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.


 * member server
 * A server that is a member of an Active Directory domain and is not a domain controller.


 * multi-master replication
 * A method of database replication which allows data to be stored by a group of computers, and updated by any member of the group.


 * resource
 * An object that security principals may be authorized to access, such as files, folders, and printers.


 * Samba
 * A free software re-implementation of the SMB/CIFS networking protocol that is included with most Unix and Linux operating systems and allows them to connect with Microsoft Windows file and print services.


 * security principals
 * An entity that can be authenticated by a computer system or network, such as users, groups, and computers.

Flashcards

 * Test your understanding of this lesson.
 * Test your understanding of the key terms.