Windows Platform

Session 7Windows PlatformEng. Dina AlkhoudariLearning ObjectivesActive Directory reviewManaging users and groupsSingle Master OperationsDelegation of Administrative ControlsActive Directory Domain Service Reviewa directory service is a distributed database that allows us to store information about network resources in order to facilitate their implementation and management.Objects are organized hierarchically according to a scheme (which is stored in the directory) defining the attributes as well as the organization of objects.Logical Components of AD: data store, OU, Domain, Domain Controller, Tree, ForestPhysical Components: Sites, Subnets, LinksA namespace organizes the descriptions of resources in order to enable users to locate these resources from their characteristics or propertiesSite is well connected group of physical subnets which define internal replication boundary. Organizationsusually create multiple Sites depending on their WAN infrastructure to control replication. It can also be useas a security scope to delegate authority to an administrator and used as an object to apply Group Policy3Active Directory Domain Service ReviewThe global catalog is the set of all objects in an ActiveDirectory Domain Services (ADDS) forest.

Replication: - With Active Directory, all domain controllers replicate information automatically on all other domain controllers in a multi-master replication mode.- Each time an object is modified in one of the domain controllers, the USN is incremented and recorded with the object property.http://technet.microsoft.com/en-us/library/cc730667.aspxTo alter the schema: 1- Install the Active Directory Schema Snap-In (regsvr32 schmmgmt.dll) 2- Add the Active directory schema snap in to the MMCMMC (Mircrosoft Management Console): lets system administrators create much more flexible user interfaces and customize administration toolshttp://technet.microsoft.com/en-us/library/cc730749.aspx Global Catalog

USN: Update Sequence Number4Managing users and groupsUsers accounts are two types- local user accounts- domain user accountsGroups are used to collect items and manage them as a single entityGroups are two types:are security principals with SIDs. These groups can therefore, be used as permissions entries in ACLs to control security for resource access. Security groups can also be used as distribution groups by e-mail applications. If a group will be used to m- security groups anage security, it must be a security group.- Distribution groups: used primarily by e-mail application. These groups are not security enabled; they do not have SIDs, so they cannot be given permissions to resources.

SID: Security Identifier

5Managing users and groupsThere are four scopes of groups:- local groups: these are available to a single computer- domain local groups: used to manage permissions to resouces- Global groups: used primarily to define collections of domain objects based on business roles- universal Groups: ueful in multidomains forests. They enable you to define roles, or to manage resources, that span more than one domain.

Page 145 Page 1496Managing users and groups

7Single Master OperationsA limited number of operations are not permitted to occur at different places at the same time, these operations are called:Operations mastersOperations master rolesSingle master rolesOperations tokensFlexible single master operations (FSMOs)That means one domain controller performs a function, and while it does, no other domain controller performs that function.8Single Master OperationsAD DS contains five operations master roles. Two roles are performed for the entire forest:Domain namingSchemaThree roles are performed in each domain:- Relative identifier (RID) - Infrastructure - PDC EmulatorPage 480

9Single Master OperationsDomain Naming Master Role: used when adding or removing domains in the forest. When You add or remove a domain, the domain naming master must be accessible, or the operation will fail.Shema Master Role: the DC holding this role is responsible for making any changes to the forests schema. All other DCs hold read-only replicas of the schema. If you want to modify the schema or install an application that modifies the schema, it is recommended you do so on the DC holding the schema master role. Otherwise, changes you request must be sent to the schema master to be written into the schema.

The RID master role is like DHCP for SIDs10Single Master OperationsRID Master Role: The RID master plays an integral part in the generation of security identifiers (SIDs) for secrity principals such as users, groups, and computer. The SID of a security prinipal must be unique. Because any domain controller can creat acounts and, therfore, SIDs, a mechanism is necessary to ensure that the SIDs generated by a DC are unique. Active Directroy domain controllers generate SIDs by assigning a unique RID to the domain SID. The RID master for the domain allocates pools of unique RIDs to each domain controller in the domain. Thus, each domain controller can be confident that the SIDs it generates are unique.

Infrastructure Master Role: In a multidomain environment, it is common for an object to reference objects in other domains. For example, a group can include members from another domain. Its multivalued member attribue contains the distiguished names of each member. If the member in the other domain is moved or renamed, the infrastructure master of the groups domain updates the groups member attribute accordingly.

The RID master role is like DHCP for SIDs11Single Master OperationsPDC Emulator Role: This role performs multiple, crucial functions for a domain:Emulates a Primary Domain Controller (PDC) for backward compatibility Participates in special password update handling for the domainManages Group Policy updates within a domainProvides a master time source for the domainActs as the domain master browser12Delegation of Administrative ControlAlso called the delegation of control, or just delegation

It means assigning permissions that manage access to objects and properties in Active Directory.

The RID master role is like DHCP for SIDs13End of Session