Service Desk Foundation Certification

Active Directory Overview

Objectives

• Provide Active Directory Overview

• Demonstrate advantages of installing AD
• Explain AD Components
• Perform AD procedures to resolve user issues
Agenda

Duration
Module Name
(hr)
1 Introduction 0.5

2 Active Directory (AD) Overview 1.0

3 AD Components 1.5

4 AD User Procedures 1.0

Module 1

Introduction
What is a Network

• A network is a group of two or more computer systems linked together and

allows them to interact with each other.
• This connection allows the following:
• Sharing files
• Streaming media
• Sharing an Internet connection
• Playing network games
• Sharing a printer
Network Topology

Ref:http://en.wikipedia.org/wiki/File:NetworkTopologies.png
Network Types
LAN Local Area Networks

WLAN Wireless Local Area Networks

WAN Wide Area Networks

MAN Metropolitan Area Networks

SAN Storage Area Networks, also System Area Network, Server Area
Network, or sometimes Small Area Networks

Campus Area Network, Controller Area Network & Often Cluster

CAN
Area Network

PAN Personal Area Networks

DAN Desk Area Networks

Environment

Domains, workgroups, and

homegroups represent different
methods for organizing computers in
networks.
Environment - Domain
• Computers on workplace networks

• One or more computers are servers.

• Network administrators use servers to control
the security and permissions for all
computers on the domain.
• Domain users must provide a password or
other credentials each time they access the
domain.

• Any user having a user account on the

domain, can log on to any computer on the
domain without needing an account on that
computer.
• Only limited changes to a computer's settings
allowed because network administrators
often want to ensure consistency among
computers.

• There can be thousands of computers in a

domain.
• The computers can be on different local
networks.
Environment - Workgroup

• Computers on home network

• All computers are peers; no computer has

control over another computer.

• Each computer has a set of user accounts.

To log on to any computer in the
workgroup, you must have an account on
that computer.

• There are typically no more than twenty

computers.

• A workgroup is not protected by a

password.
Environment - Homegroup

In a homegroup:
• Computers on a home network must belong to a workgroup, but they can also belong to a
homegroup. A homegroup makes it easy to share pictures, music, videos, documents, and
printers with other people on a home network.
• A homegroup is protected with a password, but you only need to type the password once,
when adding your computer to the homegroup.
• Homegroup feature has been removed from Windows 10 version 1803. It is due for release
early 2018.
Types of Network Configuration- Peer to Peer (P2P)

• Peer to Peer (P2P) Network Configuration

• It is a computer network in which, each computer acts as a
client, as well as a server, for other computers on the same
network.
• P2P configuration works very well in homes and in small sized
organizations. If one of the computers is not working, other
computers on network can maintain the network integrity by
using peer to peer network type.
Types of Network Configuration - Client Server

• Client Server Network Configuration

• It is a network where one or more computers called clients
connect to a central computer named a server to share or use
resources.
• Each client computer must use an operating system that
allows it to be identified to participate in the network.
• Example: Domain
Client Operating System

• Client operating systems are operating systems that run on

stand-alone systems, such as, desktops and laptops and are
designed to be used by a single individual on a single device
• Examples for client operating systems are Windows XP, Windows
7, , Windows 10, Ubuntu etc.
Server Operating System

• An operating system running on the server in a client-server

model of computer networks
• Serves as a platform for running multi-user computer
programs, applications that are networked and programs
critical to business computing
• Allow multiple computers to share a common printer
• Set up a network drive on which files are stored and accessible by a
select group of people etc. are run
• They have administrative tools for implementing policies and
managing large networks
• Example: Win 2008 Server, Win 2012 Server, Linux Redhat etc.
Windows Server

• Windows Server is an operating system that

enables core IT resources, such as file and print
sharing, remote access, and security.
• It provides a network foundation to centrally
manage settings on computers that are based on
the Windows® operating system, and upon which
you can run the most popular business
applications.
• It also provides a familiar Windows user
experience that helps to manage users and
safeguard business information.
Windows Server 2012 - Roles
 Active Directory Certificate  Group Policy
Services (AD CS)  Hyper-V
 Active Directory Domain Services  Network Policy and Access
(AD DS) Services
 Active Directory Federation  Networking and Access
Services (AD FS) Technologies
 Active Directory Lightweight  Print Services
Directory Services (AD LDS)  Remote Desktop Services
 Active Directory Rights  Security and Protection
Management Services (AD RMS)  Streaming Media Services
 Application Server (available as a download)
 Branch Office  Terminal Services (Windows Server
 DHCP Server 2008)
 DNS Server  UDDI Services (not included in
 Fax Server Windows Server 2008 R2)
 File and Storage Services  Web Server (IIS)
 Windows Deployment Services
 Windows Server Update Services
(WSUS)
Directory Service

• Directory service is an important component of server operating system

• A directory service is a shared information infrastructure for locating,

managing, administering, and organizing common items and network
resources, which can include volumes, folders, files, printers, users,
groups, devices, telephone numbers and other objects
Summary

A network is a group of two or more computer systems linked together and allows them to
interact with each other

Network Topology is a schematic description of the arrangement of a network, including its

nodes and connecting lines

Network Types: LAN, WLAN, WAN, MAN, SAN, CAN, PAN, DAN

Types of Environment: Domain, Workgroup & Homegroup

Types of Network Configuration: p2p & Client Server

Types of Operation System: Client Operating System & Server Operating System

Windows Server is an operating system that enables core IT resources, such as file and
print sharing, remote access, and security.
Module 2

AD Overview
Overview
• Active Directory is a directory service and like any directory
service its ultimate purpose is to
• Store information about users, resources and other
network entities
• Provide that information to anyone or anything that has
access to the directory, according to access
permissions.
• Help administrators to manage the network and
users to find people and resources.
• Improves the management, security, and interoperability of the
Windows network operating system.
– Provides a single point of management
– Helps consolidating directories and easing management of the entire
network operating system
– Extend systems securely to the Internet
Focal Point of Active Directory
Benefits of Active Directory

1. Simplifies management tasks

2. Strengthens network security
3. Makes use of existing systems through interoperability
1. Simplifies Management

 Eliminates redundant
management tasks
 Reduces trips to the
desktop
 Better maximizes IT
resources
 Lowers total cost of  
ownership (TCO)
2. Strengthens Security

 It improves password security and management

 It ensures desktop
functionality
 It speeds e-business
deployment
 It tightly controls
security
 
3. Extends Interoperability
 Takes advantage of existing investments and ensures flexibility
 Consolidates
management of
multiple application
directories
 Allows organizations
to deploy directory-
enabled
networking  
 Allows organizations to
develop and deploy
directory-enabled applications
Summary

Active Directory is a directory service

Its ultimate purpose is to store information about users, resources and other network entities

Provide stored information to anyone or anything that has access to the directory, according to
access permissions

Active Directory Benefits: Manageability, Security & Interoperability

Module 3

AD Components
What is a Directory Service?
A directory service is both the directory information source and the
service that makes the information available and usable

Centralized Administration Dispersed Administration

What Is Active Directory Domain Service?

Active Directory Domain Services (AD DS) is a directory service

that provides the following services in a Windows Server 2008
network:
User account management

User authentication

Computer account management

Access to networked resources

Domain-wide services
Object
An object is any
user, system,
resource, or
service tracked
within Active
Directory
Each object
represents a
Everything that
single entity—
Active Directory
whether a user, a
tracks is
computer, a
considered as an
printer, or a
object
group—and its
attributes

OBJECT

Objects fall
Attributes
into two broad
describe objects in
categories:
Active Directory. For
resources (e.g.,
e.g. all User objects
printers) and
share attributes to
security principals
store a user name,
(user or computer
full name, and
accounts and
description
groups)
The set of
attributes
available for any
particular object
type is called a
schema
What are AD DS Objects?
Object Description
User • Enables network resource access for a user

• Similar to a user account

InetOrgPerson
• Used for compatibility with other directory services

• Used primarily to assign e-mail addresses to external users

Contacts
• Does not enable network access

Groups • Used to simplify the administration of access control

• Enables authentication and auditing of computer access to

Computers
resources
• Used to simplify the process of locating and connecting to
Printers
printers
• Enables users to search for shared folders based on
Shared folders
properties
How Does AD DS Work

Authenticate
against domain

Access network
resources

1 User and computer objects are created in the directory

Groups of these objects then can be created

2
3 A client can use the user account to authenticate against AD DS

4 The user can try to access networked resources

5 The resources will again validate the authenticated user against AD DS

Overview of AD DS

• Why Deploy AD DS?

• What is Authentication?
• What is Authorization?
• Using AD DS to Centralize Network Management
• Overview of AD DS Components
Why Deploy AD DS?

AD DS provides a centralized system for managing users, computers, and other

resources on a network

AD DS features include:
• Centralized directory

• Single sign-on access

• Integrated security

• Scalability

• Common management interface

What is Authentication?

Authentication is the process of verifying a user’s identity on

a network

Authentication includes two components:

• Interactive logon – • Network
grants access to the authentication –
local computer grants access to
network resources
What is Authorization?
Authorization is a process of verifying that an authenticated user
has permission to perform an action

Security principals are User accounts are issued

issued security identifiers security tokens during
(SIDs) when the account authentication that
is created include the user’s SID
and all related group SIDs

Shared resources on a The security token is

network include access compared against the
control lists (ACL) that DACL on the resource
define who can access and access is granted or
the resource denied
Using AD DS to Centralize Network Management
AD DS centralizes network management by providing:

• Single location and set of tools for managing user and

group accounts

• Single location for assigning access to shared network

resources

• Directory service for AD DS enabled applications

• Options for configuring security policies that apply to all

users and computers
• Group policies to manage user desktops and security
settings
Overview of AD DS Components

AD DS is composed of both physical and logical components

Physical Components Logical Components

• Data store • Partitions
• Domain controllers • Schema
• Global catalog server • Domains
• Read-Only Domain • Domain trees
Controller (RODC)
• Forests
• Sites
• Organizational units (OUs)
Overview of AD DS Logical Components

What is the AD DS Schema?

What is a Domain?

What are AD DS Trusts?

What is a Domain Tree?

What is a Forest?

What is an OU?

What are AD DS Objects?

What is the AD DS Schema?
The AD DS Schema:
• Defines every type of object that can be stored in AD DS

• Enforces rules regarding object creation and configuration

Object Types Function Examples

• User class
Defines what new objects can be
Class Object
created in the directory • Computer class

Defines what information can be • Display name

Attribute Object
stored for each object class
What is a Domain?

Domains are logical directory components

used to group and manage the AD DS objects
in an organization
WoodgroveB
ank.com

Domains provide:
• An administrative boundary for applying policies to groups
of objects

• A replication boundary for replicating data between domain

controllers
• An authentication and authorization boundary that provides
a way to limit the scope of access to resources
What are AD DS Trusts?

Trusts provide a mechanism for users to gain access to resources

in another domain

Types of
Description Diagram
Trusts

The trust direction flows from Access

Directional trusted domain to the trusting
domain TRUST

The trust relationship is extended Trust &

Access
Transitive beyond a two-domain trust to
include other trusted domains

• All domains in a forest trust all other domains in the forest

• Trusts can extend outside the forest
What is a Domain Tree?
Woodgrove
Bank.com
A domain tree is a hierarchy
of domains in AD DS
EMEA.Wood NA.Woodgrove
groveBank.com Bank.com

All domains in the domain tree:

• Have a contiguous namespace with the parent domain

• Can have additional child domains added to the

namespace
• Have a two-way transitive trust with other domains in the
tree
What is a Forest?

A forest is a collection of
one or more domain trees

Forests:
• Share a common schema

• Share a common configuration partition

• Share a common global catalog to enable searching

• Enable trusts between all domains in the forest

• Share the Enterprise Admins and Schema Admins groups

What is an OU?

OUs are Active Directory containers that can contain users,

groups, computers, and other OUs

OUs are used to:

• Represent your organization hierarchically and logically

• Manage a collection of objects in a consistent way

• Delegate permissions to administer groups of objects

• Apply policies
Overview of AD DS Physical Components
What are AD DS Domain Controllers?

Overview of DNS and AD DS

What are Global Catalog Servers?

What is the AD DS Data Store?

What is AD DS Replication?

What are Sites?

What are AD DS Domain Controllers?

A domain controller is a server with the AD DS server role

installed

Domain controllers:
• Host a copy of the AD DS directory store
• Provide authentication and authorization services
• Replicate updates to other domain controllers in the domain
and forest
• Allow administrative access to manage user accounts and
network resources
Overview of DNS and AD DS

AD DS requires a DNS AD DS domain names

infrastructure must be DNS domain
names
DNS Domain
Name

DNS

AD DS domain controller DNS zones can be stored

records must be in AD DS as Active
registered in DNS to Directory integrated
enable other domain zones
controllers and client DNS
computers to locate the Zone
domain controllers
What are Global Catalog Servers?

Global catalog servers are domain controllers that also store a

copy of the global catalog

The global catalog:

• Contains a copy of all AD DS objects in a forest that includes

only some of the attributes for each object in the forest

• Improves efficiency of object searches by avoiding

unnecessary referrals to domain controllers
• Required for users to log on to a domain
What is the AD DS Data Store?

The AD DS data store contains the database files and processes

that store and manage directory information for users, services,
and applications

The AD DS data store:

• Consists of the Ntds.dit file
• Is stored by default in the %SystemRoot%\NTDS
folder on all domain controllers
• Is accessible only through the domain controller
processes and protocols
What is AD DS Replication?

AD DS replication copies all updates of the AD DS database to all

other domain controllers in a domain or forest

AD DS replication:
• Ensures that all domain controllers have the same
information
• Uses a multimaster replication model

• Can be managed by creating AD DS sites

The AD DS replication topology is created automatically as new

domain controllers are added to the domain
What are Sites?
An AD DS site is used to represent a network segment where all
domain controllers are connected by a fast and reliable network
connection

Sites are:
• Associated with IP subnets
• Used to manage replication traffic

• Used to manage client logon traffic

• Used by site aware applications such as Distributed File
Systems (DFS) or Exchange Server 2007
• Used to assign group policy objects to all users and
computers in a company location
Groups
• Groups serve two functions in
Active Directory: security and
distribution
– A security group contains
accounts which can be used
for security access.
– A distribution group is
used for sending information
to users. It cannot be used
for security access
• There are 3 Group Scopes:
– Global
– Universal
– Domain Local
Group Types
• Distribution Groups
– Their function is to create e-mail distribution lists.
– They can be used with e-mail applications (such as Microsoft
Exchange) to send e-mail to the members of the group

• Security Groups:
– Users, computers, and other groups can be grouped into a security
group and assigned appropriate permissions to specific resources
(such as file shares and printers) to the security group.
– Simplifies administration by assigning permissions once to the
group instead of multiple times to each individual user. When you
add a user to an existing group, the user automatically gains the
rights and permissions already assigned to that group.
Group Scope: Domain Local

• Domain local groups help you define and manage access to

resources within a single domain.
– For example, to give five users access to a particular printer, you
could add all five user accounts, one at a time, to the printer
permissions list. Later, if you wanted to give the same five users
access to a new printer, you would again have to specify all five
accounts in the permissions list for the new printer. Or, you could
take advantage of groups with domain local scope.
Group Scope: Global & Universal

• Global Scope
– Use global groups to collect users or computers that are in the
same domain and share the same job, organizational role, or
function
• For Example: HR department ,Finance etc
• Universal Scope
– Universal groups are use to build groups that perform a common
function across an enterprise.
– Universal groups are multi-domain environment using trust
relationship.
Module 4

AD User Procedures
Important Note

• Depending on the level of access, AD users need to be extra cautious when

dealing with AD accounts, because incorrect actions can affect Business Critical
Systems.
• There are 3 types of accounts:
• SYS: Global Domain admin
• DEP: Local domain admin
• SD: Global workstation admin, AD read write access.
Active Directory- User Procedures

# Activity Prerequisites

1 Connecting to Domain controllers

2 Unlock Account
3 Password Reset • OS: Windows Server OS
• Access: Administrator Access
4 Disable Account • Network: Domain
5 Enable Account
6 Distribution Group
Connecting to DC

• Open Active Directory Users & Computers window

– Go to
Start Programs
Administrative Tools
Active Directory Users
and Computers
– Or go to Start> Run and
type dsa.msc command
in the field
Connect to a Primary Server
a. Right-click on +sign
for Domain (.com) on
the left pane
b. From the menu, select
Connect to Domain
Controller
c. The Connect to Domain
Controller window will
pop-up to select the
required server
Find Icon
• Use the Find facility
by clicking on the
find icon
• Repeat steps a-c
(previous slide) to
connect to a
different server
2. Unlocking Accounts

• Scenarios

 Account is locked out

 Users get the following errors:

“Cannot verify username”

“The domain password you supplied is incorrect”

Open Account Properties Window

1. In Active Directory & Users window, right-click on

Domain (.com) on the left pane
2. Select Find from the menu
3. The Find Users, Contacts &
Groups window will pop-up
4. Type the account name
supplied in the Name field
& click Find Now
5. Double-click on the account
to open the account
Properties window
Account Unlocked

6. Click on the Account tab

7. If the checkbox for Account is
locked out field has a tick
next to it, then uncheck the
box
8. The account is now unlocked
3. Password Reset

1. In Active Directory & Users window, right-click on

Domain (.com) on the left pane
2. Select Find from the menu
3. The Find Users, Contacts &
Groups window will pop-up
4. Type the account name
supplied in the Name field
and click Find Now
5. Right-click on the account &
select Reset Password
option from the menu
Password Reset Rule

• Always reset the password to Pa55word and check the box where it says User
must change password at next logon
NB: It can take 5 minutes for the change to replicate
4. Disabling Accounts

• A users account would be disabled if they were going on maternity leave

instead of the account being deleted permanently
Disabling Account

1. In Active Directory & Users window, right-click on

Domain (.com) on the left pane
2. Select Find from the menu
3. The Find Users, Contacts &
Groups window will pop-up
4. Type the account name
supplied in the Name field
& click Find Now
5. Right-click on the account &
select Disable Account
option from the menu
5. Enabling Accounts

• Scenario: When users return from long leave, their account gets disabled
Enabling Account

1. In Active Directory & Users window, right-click on

ab.com on the left pane
2. Select Find from the menu
3. The Find Users, Contacts &
Groups window will pop-up
4. Type the account name
supplied in the Name field
& click Find Now
5. Right-click on the account &
select Enable Account option
from the menu
6. Create a Distribution Group

• Activity: Create a distribution group called Distribution Group in the

Organizational Unit (OU)
• Steps:
1. Open Active Directory
Users and Computers
2. Locate an OU &
click on the + sign
3. Right-click on Groups
4. Go to New> Group
Update Details
5. The New Object – Group window pops up
6. Type the Group Name (For
e.g. PR Distribution Group)
7. Leave the Group Scope as
Global and change the Group
Type to Distribution
8. Click Next
9. In order to mail enable the
Distribution Group, check the
box for Create an Exchange
email address
10.Select appropriate value for
Associated Administrative Group field drop down & Click Next
Distribution Group (DG) Created

11. Click Finish

12. The New Distribution Group is
created & will be found
under Groups under
Paisley Organizational
Unit
DG Properties- General Tab
1. Go to Active Directory & Users window
2. Under Groups for Paisley OU,
double-click on the new Distribution
Group name to view the Properties
window
3. Click General tab to view the
following:
a. Email address of the DG
b. Description field
c. Group Name
d. Group Scope
e. Group Type
f. Notes field to add notes
DG Properties- Members Tab
4. Click the Members tab
– Purpose
Here one can add individuals
that are to be members of
the distribution group
– How to Add
Click the Add button and
select the names from the list
that appears
DG Properties- ‘Member Of’ Tab
5. Click the Member Of Tab
–Purpose
1. Here one can add the Distribution
Group to another group thereby
automatically adding all the names
in the group to the other group
2. Distribution groups can only be
added to groups from the local
domain; and universal groups from
other domains
–How to Add
• Click the Add button and select the
desired DR Group name from the
list that appears
Create A New User Account
To perform this procedure, you
must be a member of the Account
1. Open Active Directory Users and Operators group, Domain Admins
group, or the Enterprise Admins
Computers. group in Active Directory, or you
must have been delegated
2. In the console tree, right-click the folder in the appropriate authority.

which you want to add a user account.

• Active Directory Users and
Computers/domain
node/folder
3. Point to New, and then click
User.
Create A New User Account
4. In First name, type the user's first name. To perform this procedure, you
must be a member of the Account
Operators group, Domain Admins
5. In Initials, type the user's initials. group, or the Enterprise Admins
group in Active Directory, or you
6. In Last name, type the user's last name. must have been delegated
the appropriate authority.

7. Modify Full name to add initials or reverse

order of first and last names.
8. In User logon name, type the user logon name,
click the UPN suffix in the drop-down list, and
then click Next.
9. In Password and Confirm password, type the
user's password, and then select the
appropriate password options.
References

• Windows.microsoft.com
• http://www.wifinotes.com/types-of-networks.html
82