Understanding Active Directory
Heng Sovannarith
Active Directory
• Active Directory is a directory service and hierarchical data store that holds information about objects on your network and make it easy for administrator to manage and search for these objects.
• Internal Object of Active Directory is store on a tree. • The Active Directory framework that holds the objects
can be viewed at a number of levels. The forest, tree, and domain are the logical divisions in an Active
Directory network.
• Active Directory cannot exist without a functioning DNS service.
Active Directory (cont.)
• A tree is a collection of one or more domains
and domain trees in a contiguous namespace,
linked in a transitive trust hierarchy.
• At the top of the structure is the forest. A
forest is a collection of trees that share a
common global catalog, directory schema,
logical structure, and directory configuration.
Trusts
• In Active Directory, when two domains trust
each other or a trust relationship exists
between the domains, the users and
computers in one domain can access
Trusts (cont.)
• Domains in a domain tree are joined using two-way transitive trusts. These trusts enable each domain in the tree to trust the authority of every other domain in the tree for user authentication. This means that when a domain joins a domain tree, it automatically trusts every domain in the tree.
Trusts (cont.)
• To allow users in one domain to access resources in another, Active Directory uses trusts.
– One-way trust: One domain allows access to users on another
domain, but the other domain does not allow access to users on the first domain.
– Two-way trust: Two domains allow access to users on both domains. – Trusting domain: The domain that allows access to users from a
trusted domain.
– Trusted domain: The domain that is trusted; whose users have access to the trusting domain.
– Transitive trusts: With transitive trusts, trust is applicable for each trusted domain. What this means is where Domain1 trusts Domain2, and Domain2 trusts Domain3, Domain1 would also trust Domain3. – Non-transitive trust: The defined trust relationship ends with the two
Organization Units
• The objects held within a domain can be grouped into Organizational Units (OUs).
• An organizational unit (OU) is a container that logically organizes and groups Active Directory objects within domains. OUs are not part of the DNS namespace. • OUs therefore serve as containers in which users can
create and manage Active Directory objects. OUs are considered the smallest unit to which an Administrator can assign permissions to resources within Active
Directory.
• We can organization unit based on geographical, department… or others millions ways.
Organization Units (cont.)
• Group Policy settings can also be applied to
OUs
• The Active Directory object types that can be
located in OUs are listed below:
– User, group, and computer objects; shared folders, printers, applications, and other OUs from the
Users, Groups and Computers
• User objects are the main security principals used in Active Directory.
• A user object consists of the user name, password, group membership details, and other information that define the user.
• A group is a collection of user and computer accounts, contacts and other groups.
• A group object prevents Administrators from setting individual user permissions.
• A set of users can be grouped then assigned the appropriate permission to Active Directory objects.
• A computer object contains information on a computer that is a member of the domain. Usually, the computer which join the domain has automatically computer account in AD.
The differences between OUs and
groups
• OU’s keep your objects organized and are used to
control what users and computers can do and cannot do.
• Group are Active Directory Objects that allow you to provide and deny access to resources like printers and folders …etc.
• Group live in OU.
• The basic differences between OUs and groups is that groups can be used when applying security to objects, whereas OUs exist when certain administrative
Exercise
• Design the Active Directory for the Royal
University of Phnom Penh
Active Directory Installation
• Please read other file which I have given to
Managing Organizational Units
• To create an organizational unit
– Go to Server Manager
– Right click on an domain or an organizational unit which you want to create it in -> New ->
Managing Organizational Units (cont.)
• Command Line
– Create New OU dsadd ou <OrganizationalUnitDN> Example: dsadd OU "OU=SiemReap,DC=rith,DC=local“ - For help on dsadddsadd ou /? - Remove OU
dsrm <OrganizationalUnitDN> Example:
Managing Group
• To create an organizational unit
– Go to Server Manager
– Right click on an organizational unit or group which you want to create it in -> New -> Group
Managing Group (cont.)
• Command Line
– Create a New Group
dsadd group <GroupDN> samid<SAMName> -secgrp {yes|no} -scope {l|g|u}
• Where <GroupDN> is the distinguished name of the group, <SAMName> is the unique SAM account name for the group,
{yes|no} specifies whether it’s a security group, and {l|g|u} define the scope (l = domain local, g = global, and u = universal). Once created you can modify group membership and other properties by right-clicking on it in Active Directory Users and Computers.
– Example:
dsadd group "cn=IT Users, ou=Phnom Penh , dc=rith, dc=local"
Managing Group (cont.)
– Remove a group dsrm <GroupDN> - Example:
dsrm “cn=IT Users, ou=Phnom Penh , dc=rith, dc=local”
Managing User (cont.)
• The password need to meet the default
complexity requirement.
• Password must be 8 characters long and
combine characters, number and symbol.
Moreover, it should not have the same as
username.
Managing User (cont.)
Command Line
dsadd user "cn=rith, ou=IT, ou=Library, dc=rith,
dc=local" -fn Miguel -ln Heng -pwd
rith@123%#$ -mustchpwd yes
Or
dsadd user "cn=rith, ou=IT, ou=Library, dc=rith,
dc=local" fn Miguel ln Heng pwd rith@123%#$
-mustchpwd yes –memberof “cn=IT Users, ou=Phnom Penh , dc=rith, dc=local”
Managing User (cont.)
– Disable user account
dsmod user <UserDN> -disabled {yes|no} Example:
dsmod "cn=rith, ou=IT, ou=Library, dc=rith, dc=local“ -disabled yes
– Remove user account dsrm <ObjectDN>
dsrm "cn=rith, ou=IT, ou=Library, dc=rith, dc=local“ -disabled yes
