Install and administer Active Directory
A directory service is a repository of information about the resources—hardware, software, and human—that are connected to a network. Users, computers, and applications throughout the network can access the repository for a variety of purposes, including user authentication, storage of configuration data, and even simple white pages–style information lookups. Active Directory Domain Services (AD DS) is the directory service that Microsoft first introduced in Windows 2000 Server, and they have upgraded it in each successive server operating system release, including Windows Server 2012.
Part 1: Install domain controllers
AD DS is a directory service that enables administrators to create organizational divisions called domains. A domain is a logical container of network components, hosted by at least one server designated as a domain controller. The domain controllers for each domain replicate their data among themselves, for fault tolerance and load balancing purposes.
- A directory service is a repository of information about the resources—hardware, software, and human—that are connected to a network. Active Directory is the directory service that Microsoft first introduced in Windows 2000 Server, which has been upgraded in each successive server operating system release, including Windows Server 2012.
- When you create your first domain on an Active Directory network, you are, in essence, creating the root of a domain tree. You can populate the tree with additional domains, as long as they are part of the same contiguous namespace.
- When beginning a new AD DS installation, the first step is to create a new forest, which you do by creating the first domain in the forest, the forest root domain.
- In Windows Server 2012, it is now possible to install Active Directory Domain Services on a computer running the Server Core installation option, and promote the system to a domain controller, all using Windows PowerShell.
- Install from Media (IFM) is a feature that enables administrators to streamline the process of deploying replica domain controllers to remote sites.
- There are two ways to upgrade an AD DS infrastructure. You can upgrade the existing downlevel domain controllers to Windows Server 2012, or you can add a new Windows Server 2012 domain controller to your existing installation.
- The global catalog is an index of all the AD DS objects in a forest that prevents systems from having to perform searches among multiple domain controllers.
- DNS is essential to the operation of Active Directory Domain Services. To accommodate directory services such as AD DS, a special DNS resource record was created that enables clients to locate domain controllers and other vital AD DS services.
Part 2: Create and manage Active Directory users and computers
- Users and computers are the basic leaf objects that populate the branches of the Active Directory Domain Services tree. Creating and managing these objects are everyday tasks for most AD DS administrators.
- The user account is the primary means by which people using an Active Directory Domain Services network access resources.
- One of the most common tasks for administrators is the creation of Active Directory user objects. Windows Server 2012 includes several tools you can use to create objects.
- Windows Server 2012 has redesigned the Active Directory Administrative Center (ADAC) application, first introduced in Windows Server 2008 R2, to fully incorporate new features such as the Active Directory Recycle Bin and fine-grained password policies. You can also use the tool to create and manage AD DS user accounts.
- Microsoft Excel and Microsoft Exchange are two common applications in which you can have a number of users, along with their accompanying information, to add to the AD DS database. In these cases, you can export information from the applications by saving it to a file in CSV format.
- LDIFDE.exe is a utility that has the same basic functionality as CSVDE.exe and provides the ability to modify existing records in Active Directory.
- Because an AD DS network uses a centralized directory, there has to be some means of tracking the actual computers that are part of the domain. To do this, Active Directory uses computer accounts, which are realized in the form of computer objects in the Active Directory database.
- The process of actually joining a computer to a domain must occur at the computer itself and be performed by a member of the computer’s local Administrators group.
- It is possible to perform an offline domain join, using a command-line program called Djoin.exe.
Part 3: Create and manage Active Directory groups and organizational units (OUs)
- OUs can be nested to create a design that enables administrators to take advantage of the inheritance described earlier. You should limit the number of OUs that are nested, because too many levels can slow the response time to resource requests and complicate the application of group policy settings.
- Once you have created a design for your Active Directory domains and the trees and forests superior to them, it is time to zoom in on each domain and consider the hierarchy you want to create inside it.
- Adding OUs to your Active Directory hierarchy is not as big an issue as adding domains; you don’t need additional hardware, and you can easily move or delete an OU at will.
- When you want to grant a collection of users permission to access a network resource, such as a file system share or a printer, you cannot assign permissions to an OU; you must use a security group instead. Although they are container objects, groups are not part of the Active Directory hierarchy in the same way that domains and OUs are.
- There is no simpler object type to create in the AD DS hierarchy than an OU. You only have to supply a name for the object and define its location in the Active Directory tree.
- Creating OUs enables you to implement a decentralized administration model, in which others manage portions of the AD DS hierarchy, without affecting the rest of the structure.
- Groups enable administrators to assign permissions to multiple users simultaneously. A group can be defined as a collection of user or computer accounts that functions as a security principal, in much the same way that a user does.
- In Active Directory, there are two types of groups: security and distribution; there are also three group scopes: domain local, global, and universal.
- Group nesting is the term used when groups are added as members of other groups.
- It is possible to control group memberships by using Group Policy. When you create Restricted Groups policies, you can specify the membership for a group and enforce it, so that no one can add or remove members