Microsoft Active Directory Ad Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Managing shared resources and network accounts are some of the most important and time-consuming tasks for IT personnel, Planning, deploying, and upgrading complex networks can easily become a real nightmare. This Project, will show, how the Active Directory system can simplify the management of network resources while offering enhanced network services.


Microsoft Active Directory (AD) has been available since early 2000, and while most organizations have completed their AD deployment and are realizing the many business benefits of having deployed Active Directory, there are still organizations that have either not completed their deployment or have yet to take advantage of some of the important features of Active Directory that yield the greatest business benefits.

Windows Server 2003 and Active Directory help small and medium size organizations with a reliable working environment for the end-users, which offers the highest levels of reliability and performance so users can get their work done as efficiently as possible, as well as providing a more secure and manageable environment to make the lives of the IT staff easier.

What is Active Directory?

Active Directory is the integrated, distributed directory service that is included with Microsoft Windows Server 2003 and Microsoft Windows 2000 Server. Integrated with Active Directory are many of the applications and services that previously required a separate, distinct directory and user ID/password to be managed for each application or service. In Windows NT 4.0, for example, a directory was required for the domain itself, a separate directory for Exchange mailboxes and distribution lists, and separate directories for remote access, database, and other applications. In some cases, separate passwords were required for each application. With Active Directory, the administrator of the organization can add a user to Active Directory and through that single entry enable remote access to the network, enable the same user account for Exchange messaging, that same user for database access for accounting, client relationship management, or other applications. Not only is it possible to use Active Directory as a multi-purpose directory in this fashion but by doing so a company enables single sign-on for its users. Once a user logs in to Windows their Active Directory credential is the key that will automatically unlock all of the applications or services that they have been enabled for, including 3rd party applications that utilize Windows integrated authentication.

By creating a link between user accounts, mailbox accounts, and applications, Active Directory simplifies the task of adding, modifying, and deleting user accounts. When an employee gets married and changes their name, a single change in Active Directory can change the user information for all applications and services. When a user changes their password in Active Directory, they do not have to remember different passwords for their other applications. When a group of users is created such as the "sales group," users can e-mail the group to send a message to all users, administrators can allow security access to resources based on the group name, and users can look-up members of a group by expanding the group information. This is just one example of how Active Directory simplified many administrative tasks and processes that, in the past, involved disparate applications, servers, and services.

Windows Server 2003 and Active Directory help small and medium size organizations with a reliable working environment for the end-users, which offers the highest levels of reliability and performance so users can get their work done as efficiently as possible, as well as providing a more secure and manageable environment to make the lives of the IT staff easier.

Many clients running older operating systems find their current systems simply not capable of meeting the expectations of their business for a reliable, dependable, secure, or manageable environment. While many organizations have gotten creative at workarounds and adding in a number of add-ons and utilities to "make do" with their current investments, Windows Server 2003 and Active Directory provide the out-of-the-box functionality organizations need to effectively and efficiently run their businesses.

Comparison between Domain (Active Directory) Environment and Workgroup Environment



All computers are peers, no computer has control over another computer

One or more computers are servers. Network administrators use servers to control the security and permissions for all computers on the domain. This makes it easy to make changes because the changes are automatically made to all computers.

Each computer has a set of user accounts. To use any computer in the workgroup, you must have an account on that computer.

If you have a user account on the domain, you can log on to any computer on the domain without needing an account on that computer.

There are typically no more than ten to twenty computers.

There can be hundreds or thousands of computers.

All computers must be on the same local network or subnet.

The computers can be on different local networks.

Workgroup usually costs less money to setup.

A domain usually costs more money to setup because there is more hardware and software required

No easily scalable. If using more than 10 computers, the number of accounts to set up increases a lot more

Scales easier if you add more users and computers

Difficult to manage because resource administration is not centralized

Centralized account administration, security policies and permissions

Benefits of Active Directory

Increasing the Productivity of Users

Power of Group Policy

Windows Update Services

Remote Assistance

System Quarantine

Reducing the Burden of IT Administration

Server Performance and Reliability

Administrative Benefits of Group Policy

Remote Installation Services

Remote Administration

Improving Fault Tolerance to Minimize Downtime

Distributed File System (DFS)

Volume Shadow Copy Service (VSS)

Advanced Server Recovery (ASR)

Enhancing Security to Provide Better Peace of Mind

File-Level Encryption

IP Security

Improved Management Tools

Configure Secure Servers

Active Directory integrated applications

Exchange Server

Improved Systems Management with SMS

ECC Company System Upgrade from Workgroup to Domain

Engineering Consultant Company (ECC) which works as Workgroup Model, this project will transfer the company to Domain Model Using "Microsoft Windows Server 2003 Enterprise Edition". I will discuss the Steps I take to do this in Coming Sections.

First: Creating (ECC.COM) Domain

Prepare Windows Server 2003 Enterprise Edition CD.

Check if Server Hardware meets Windows Server 2003 Requirements.

Install Windows Server 2003 Enterprise Edition and Choose per Server Licensing option during Installation.

Set Administrator Account Password with Complexity options.

Install Hardware Drivers and Make Sure that Server Drivers updated to latest firmware update.

Partition Server Hard Desks and Create Raid 5 Strips.

Install Latest System Updates and Service Packs from Site.

Give the Server Static IP address before creating Domain.

Start domain creation by using DCPROMO command from run window in start menu or you can use manage your server option in start - programs - Administrative tools, and add new role and choose Active Directory.

Choose Domain Controller for a new forest option and click next.

Choose domain in new forest and click next.

Choose to configure DNS server automatically and click next.

Write Domain Name (ECC.COM) and click next.

Choose database and log folders path.

Write domain restore password.

After domain creation wizard finished you have to restart the server.

Second: Maintain DNS Server

DNS Server Have Many Advantages:

DNS supports Dynamic registration of SRV records registered by a Active Directory server or a domain controller during promotion. With the help of SRV records client machines can find domain controllers in the network.

DNS supports Secure Dynamic updates. Unauthorized access is denied.

Active Directory Integrated Zone. If you have more than one domain controller (recommended) you need not worry about zone replication. Active Directory replication will take care of DNS zone replication also.

If your network uses DHCP with Active Directory then no other DHCP will be able to service client requests coming from different network. It is because DHCP server is authorized in AD and will be the only server to participate on network to provide IP Address information to client machines.

Create new zone in reverse lookup zone

Allow only dynamic updates in DNS zones.

Add a new pointer in reverse lookup zone with domain server record in forward lookup zone.

Check if new domain computers have a record in forward lookup zone after you join the domain.

Third: Creating DHCP

DHCP has many advantages:

DHCP minimizes configuration errors caused by manual IP address configuration, such as typographical errors, as well as address conflicts caused by a currently assigned IP address accidentally being reissued to another computer.

TCP/IP configuration is centralized and automated.

Network administrators can centrally define global and subnet-specific TCP/IP configurations.

Clients can be automatically assigned a full range of additional TCP/IP configuration values by using DHCP options.

Address changes for client configurations that must be updated frequently, such as remote access clients that move around constantly, can be made efficiently and automatically when the client restarts in its new location.

Most routers can forward DHCP configuration requests, eliminating the requirement of setting up a DHCP server on every subnet, unless there is another reason to do so.

Create DHCP by adding role from manage your server wizard found in administrative tools.

Create new Scope by give it a name, start and end IP addresses and Subnet Mask.

You can create many scopes depend in your network structure and how many VLANS company have.

Determine the scope lease time (Default 8 days).

After that I tested the DHCP.

Fourth: Creating Organizational Units (OUs)

Organizational Unit Advantages:

The primary advantages of the OU are that it affords almost all of the functionality of a domain without the overhead of managing the AD database itself, transaction logs, disaster recovery, backups, monitoring, etc.

OU Administrators have full power over computer accounts, user accounts, group policies, and the way those objects get organized (with the exceptions noted above) and secured. Every object in Active Directory, including objects within an OU (and the OU itself) all have an Access Control List that can be modified to suit the security needs of the OU administrators.

I create 3 OUs inside Active Directory (Normal - Super Users - VIP).

I Apply Policy for each OU to maintain Security setting and domain settings.

Fifth: Create Users accounts

Creating user's accounts for all company employs depend on OUs.

All created users were domain users the only domain admin users is the administrator.

User naming by first letter from name and first letter from second name and full last name.

Users have to change the default password first time he login domain.

Sixth: Creating Group Policies

Group Policy Capabilities

Through Group Policy, administrators define the policies that determine how applications and operating systems are configured and keep users and systems secure. The key features of Group Policy.

Registry-based Policy

The most common and the easiest way to provide policy for an application or operating system component is to implement registry-based policy. With the new Group Policy Management Console (GPMC), described later in this paper, and the Group Policy Object Editor, administrators can define registry-based policies for applications, the operating system, and its components. For example, an administrator can enable a policy setting that removes the Run command from the Start menu for all affected users.

Security Settings

Group Policy provides options for administrators to set security options for computers and users within the scope of a GPO. Local computer, domain, and network security settings can be specified. For added protection, administrators can apply software restriction policies that prevent users from running files based on the path, URL zone, hash, or publisher criteria. Administrators can make exceptions to this default security level by creating rules for specific software.

Software Restrictions

To defend against viruses, unwanted applications, and attacks on computers running Windows XP and Windows Server 2003, Group Policy includes new software restriction policies. Administrators can now use policies to identify software running in a domain and control its ability to execute.

Software Distribution and Installation

Administrators can manage application installation, updates, and removal centrally with Group Policy. Because organizations can deploy and manage customized desktop configurations, they spend less money supporting users on an individual basis. Software an be either assigned to users or computers (mandatory software distribution) or published to users (allowing users to optional install software through Add/Remove Programs in the Control Panel). Users get the flexibility they need to do their jobs without having to spend time configuring their system on their own.

Administrators can use Group Policy to deploy approved packages. For example, in a highly managed desktop environment where users don't have permission to install applications, the Windows Installer service can perform an installation on the user's behalf. In addition, for highly managed workstations, Windows Installer integrates with the software restriction policies implemented through Group Policy to restrict new installations to a list of acceptable software.

Computer and User Scripts

Administrators can use scripts to automate tasks at computer startup and shutdown and user logon and logoff. Any language supported by Windows Scripting Host can be used, including the Microsoft Visual BasicĀ® development system, Scripting Edition (VBScript); JavaScript; PERL; and MS-DOSĀ®-style batch files (.bat and .cmd).

Roaming User Profiles and Redirected Folders

Roaming user profiles provide the ability to store user profiles centrally on a server and load them when a user logs on. As a result, users experience a consistent environment no matter which computer they use. Through folder redirection, important user folders, such as the My Documents and Start menu, can be redirected to a server-based location. Folder redirection allows centralized management of these folders and gives an IT group the capability to easily backup and restore these folders on behalf of users.

Enhancements in Windows Server 2003 provide more robust roaming capabilities and simplified folder redirection. Together, these features allow mobile users or those not assigned to a particular computer see a familiar desktop when they log on and locate needed folders. Administrators also can take advantage of roaming user profiles to replace computers more easily. When a user logs on to a new computer for the first time, the server copy of the user's profile is copied to the new computer. In addition, administrators can redirect users' My Documents folder to their home directory, a new feature.

Offline Folders

When a network is unavailable, the Offline Folders feature provides access to network files and folders from a local disk. Users are assured access to critical information even when network connections are unstable or nonpermanent or when using a mobile computer. When users reconnect to their network, the client files and server files are synchronized, thereby keeping versions consistent and up-to-date.

Internet Explorer Maintenance

Administrators can manage and customize the configuration of Microsoft Internet Explorer on computers that support Group Policy. The Group Policy Object Editor includes the Internet Explorer Maintenance node, which administrators use to edit Internet Explorer security zones, privacy settings, and other parameters on a computer running Windows 2000 and later.

First I had to install Group Policy Management Console (GPMC) this tool have many advantages:

Easy administration of all GPOs across the entire Active Directory Forest

View of all GPOs in one single list

Reporting of GPO settings, security, filters, delegation, etc.

Control of GPO inheritance with Block Inheritance, Enforce, and Security Filtering

Delegation model

Backup and restore of GPOs

Migration of GPOs across different domains and forests

I download GPMC tool from site and install on server.

Start GPMC console from run windows and type (GPMC.msc).

Once console started you can use it to create new Group Policy Objects (GPO).

I Create 3 Policies (Normal - Super Users - VIP)




Password length = 5 characters

Password must meet complexity requirements = Disabled

Do Not allow users to change internet explorer security zone properties = Enabled

Do not allow users to add/ delete sites in internet explorer = Enabled

Do not allow windows messenger to be run = Enabled

Prevent desktop shortcut creation for windows media player = Enabled

Prevent quick launch tool bar shortcut creation for windows media player = Enabled

Disable the connection page in internet explorer = Enabled

Add Logoff to start menu = Enabled

Force Classic Start Menu = Enabled

Remove add Remove Programs = Enabled

Add WWW.ECC.COM as home page for internet explorer.

Super Users

Password length = 5 characters

Password must meet complexity requirements = Disabled

Add Logoff to start menu = Enabled

Force Classic Start Menu = Enabled

Add WWW.ECC.COM as home page for internet explorer.

Do not allow windows messenger to be run = Enabled

Disable the connection page in internet explorer = Enabled

Configure automatic updates = Enabled

Always wait for a network when computer start = Enabled

Group Policy Refresh interval for Computers = Enabled

Title for Internet Explorer Page = ECC Company


Password length = 5 characters

Password must meet complexity requirements = Disabled

Add Logoff to start menu = Enabled

Force Classic Start Menu = Enabled

Turn off Creation of system restore checkpoint = Enabled

Configure automatic updates = Enabled

Always wait for a network when computer start = Enabled

Group Policy Refresh interval for Computers = Enabled

After creating the policies link every policy to desired OUs.

Now every OU in domain Managed by group policy object.

Seventh: File Server Creation

Create file server by add the role from manage your server wizard in administrative tools.

First allocate the space for every user in domain (200 MB).

Set the warning level (200 MB).

Turn on indexing option to allow users searching files in own folders.

Choose share folder path in server.

Write the share name and share description.

Determine permission (Administrators full access - users read and write).

Domain Administrator Tasks

As domain Administrator I Have to monitor domain performance and availability throw admin tasks scheduled daily, weekly, monthly and as required.

Daily Tasks

Review Logs:

Check application log for warning and error messages for service startup Errors, application or database errors and unauthorized application installs.

Check security log for warning and error messages for invalid logons, unauthorized user creating, opening or deleting files.

Check system log for warning and error messages for hardware and Network failures.

Check web/database/application logs for warning and error messages.

Check directory services log on domain controllers.

Perform and Verify Daily Backup:

Run and/or verify that a successful backup of system and data files has completed.

Run and/or verify that a successful backup of Active Directory files has completed on at least one Domain Controller.

Track and Monitor System Performance and Activity:

Check for memory usage.

Check for system paging.

Check CPU usage.

Check Free Hard Drive Space:

Check all drives for free space and Take appropriate action as specified by site's Standard Operating Procedures.

Physical Check for Systems:

Visually check the equipment for amber lights, alarms, etc and Take appropriate action as specified by site's Standard Operating Procedures.

Weekly Tasks

Archive Audit Logs:

Archive audit logs to a media device and clear old Logs.


Download and install current Anti-Virus signature files.

Review Anti-Virus Reports and Logs.

Scan all hard-drives using current Anti-Virus signature files.

Check Vendors Websites for Patch information:

Check vendor websites such as Microsoft, Sun, HP, Oracle, etc. for new vulnerability information including patches and hot fixes.

Compare System Configuration Files against a baseline for changes tasks:

Compare system configuration files against the baseline.

Compare application executables against the baseline.

Compare database stored procedures against the baseline.

Run file system integrity diagnostics:

Run diagnostic tools to detect any system problems

Monthly Tasks

Perform Self-Assessment Security Review:

Review technology checklist for any changes

Run current security review tool

Perform Hardware/Software Inventory:

Review hardware and compare to inventory list

Review software and compare to inventory list

Run Password-Cracking Tool (Domain Controller only)

Run a password-cracking tool to detect Weak passwords.

Verify User Account Configuration

Run DumpSec tool to verify user account configuration

Quarterly Tasks

Test Backup and Restore Procedures:

Restore backup files to a test system to verify procedures and files

Change passwords:

Work with appropriate application administrator to ensure password changes for service accounts such as database accounts, application accounts and other service accounts are implemented.

Change Administrator Password for main Servers.

As Required

Test Patches and Hot fixes

Install Patches and Hot fixes

Schedule Downtime for Reboots

Apply OS upgrades and service packs

Create/maintain user and groups accounts

Set user and group security

After System Configuration Changes

Create Emergency System Recovery Data

Create new system configuration baseline

Document System Configuration Changes


In Future Company Have to Upgrade the Operating System From Windows Server 2003 to Windows Server 2008. Because Windows 2008 Server has Many Advantages:

Virtualization (Hyper -V) this as a way of reducing hardware costs by running several 'virtual' servers on one physical machine only With 64Bit Machines.

Server Core provides the minimum installation required to carry out a specific server role, such as for a DHCP, DNS or print server.

Better server Security.

Role Based Installation.

Read Only Domain Controllers (RODC).

Enhanced Terminal Services.

Network Access Protection because Microsoft's system for ensuring that clients connecting to Server 2008 are patched, running a firewall and in compliance with corporate security policies.

Power Shell Microsoft's new(ish) command line shell and scripting language.

New IIS 7 Release.

Windows Aero which is Microsoft new Graphical user Interface using in Windows Vista and Widows 7.