Active Directory
March 21 (Day); March 23 (Night)
Domain-Based Model:
o In these traditional models, a network may and usually does have multiple
servers. If you want to access a server, you must log on. In that case, every time
you access a different server, you must repeat the logon process (p. 370).
o A domain-based network provides an excellent solution for the problem of
multiple logons (p. 370).
o A domain is a fundamental component, or container, that holds information about
all network resources that are grouped within it – servers, printers, users, and
groups.
These network resources are called objects and are associated with a
domain. When you set up a new user account or network printer, for
example, it becomes an object within a domain.
o Modern domain-based networks use what is called a directory service to store
user and computer account information. Microsoft Windows 2000 and 2003 use
the Active Directory (A.D.) directory service (p. 370).
o The Active Directory is the core concept behind Windows 2000 and Windows
2003 Server. The AD houses information about all network resources such as
servers, printers, user accounts, security policies, and other information.
o A domain has three basic functions:
Provide a security boundary around objects that have a common
relationship. In other words, you may want some objects to have access
to resources that other computers do not have access to.
Establish a set of information that can be replicated from one DC to
another.
Speed o management of objects.
Domain Controllers:
o A domain-based network provides an excellent solution for the problem of
multiple logons (p. 370).
o In a domain-based environment, one or more dedicated servers called Domain
Controllers (DCs) hold the security database for all systems. When you log on to
your computer or to any computer, the logon request goes to an available DC to
verify the account and password (p. 370).
o There must be at least one DC in a domain, but there can be more than one.
o The DC is responsible for:
Contains a full copy of the Active Directory information.
Used to add a new object to the Active Directory.
Copies all changes made to it so those changes are updated on every DC
in the same domain.
o This process of copying changes made on one DC to all of the other DCs is
known as multimaster replication. The advantage of this approach is that if one
DC fails, there will always be a full copy of the Active Directory on another DC
and the network can continue to run based on this copy.
Interactive Logon Security:
o Remember that all of the information about objects, such as computers, printers,
users, etc.) on your network is stored on one or more domain controllers.
Therefore, every user is part of the Active Directory information.
o Whenever a user wishes to access data on a Windows 2000 Server network, that
person logs onto an account that is defined on a domain controller.
o The domain controller checks to make certain that the user account is already
defined and then checks the username and password provided by the user and
make sure that they match. This is a process known as authentication.
o The default authentication method in Active Directory is through the use of
passwords.
Object Security:
o Each access control list (ACL) for an object typically contains three categories of
information:
The user accounts (or account groups) that can access the object. In
other words, who can access an object.
Each of these user accounts or group accounts is assigned a type of
access to an object, known as permissions. Standard permissions
include:
Deny – no permission to access an object.
Read – permission to change an object’s attributes or the
contents of an object.
Write – permission to change an object’s attributes or the
contents of an object.
Delete All Child Objects – permission to remove an object from
an OU or domain.
Create All Child Objects – permission to add and object to an
OU or domain.
Full Control – permission to do anything to an object. For
example, you can take ownership of an object. You can also
change the permissions associated with an object.
The ownership of the object. The default owner of an object is the user
who created it. However, the ownership can be changed if another user
has sufficient permission, such as Full Control.