Recommendations For The Administration Of Active Directory Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

In this work I will focus on role Active Directory Domain Services (AD DS) Microsoft Windows Server 2008, main components and recommendations for the administration of AD.

What is Active Directory?

Active Directory (AD) is a directory service, which makes it possible to manage your domain. AD is a service that significantly improves the daily work of network administration.

AD allows you from one place - the server (called a Domain Controller) for configuration of computers, users, printers, deployment, and many others.

Active Directory Domain Services


Old and new changes made on the objects attributes can be recorded as log.

Fine-Grained Passwords

A new feature in Windows Server 2008 AD DS is the ability to define with Fine Grained Password Policy and Account lockout for different users on the same domain.

Fine-Grained Password Policies allow the following settings:

Password Policy:

Enforce password history

Maximum password age

Minimum password age

Minimum password length

Passwords must meet complexity Requirements

Store passwords using reversible encryption

Account lockout:

Account lockout duration

Account lockout threshold

Reset account lockout after

Fine-Grained Password Policies can be applied to objects "user" and "global security groups. " It is not possible for them to apply for the units.

To use the Fine-Grained Password Policies, the domain functional level must be set to Windows Server 2008.

Read-Only Domain Controller

RODC holds read-only copy of Active Directory database with all objects and attributes.

Active Directory Read-Only Domain Controller (RODC) is a new type of domain controller in Windows Server 2008.

With an RODC, organizations can easily deploy a domain controller for locations where physical security cannot be guaranteed.

Principal purpose is to improve safety RODC in branch offices. The branch office is difficult to ensure the safety required for the IT infrastructure, especially for domain controllers that contain confidential data.

Domain Controllers are often hidden in the office. If someone has physical access to Domain Controller, it will not be hard to manipulate the system and get to the data. RODC solves these problems.

Fundamental elements of the RODC is:

Read-Only Domain Controller

Administrative Role Separation

Credential Caching

Read-Only DNS

Restartable Active Directory Domain Services

In Windows Server 2008 Active Directory Domain Services (AD DS), you can now stop and restart. This means that you can stop AD DS when performing manual tasks, and as in previous versions of Windows Server required you to restart the system in Directory Services Restore Mode (DSRM). It is a great feature for scripting and automating these tasks.

Possible states of AD DS:

AD DS - started

AD DS - stopped

AD DS Restore Mode (DSRM)

Database Mounting Tool

AD Database Mounting Tool allows you to use the Active Directory snapshot, mount it in read-only mode.


In Active Directory resources are organized in a logical structure - the structure reflects the organizational model â€" using:


Organizational Units (OUs),



Logical grouping of resources, it is easy to search using the name, not remembering their physical location.

The relationship of Active Directory domains, OUs, trees, and forests

Resources of the organization are represented in Active Directory as objects. Each object has attributes or characteristics that define it.

For example, a user object contains the user logon name and password, and group object contains a group name and a list of its members.

Active Directory can store millions of objects such as users, groups, computers, printers, shared folders, Web site, links, or Group Policy Object (GPO)

One can easily imagine that without some kind of structure, access and management of such a directory would be a nightmare. Therefore introduced an organizational unit (OU) grouping other objects into a single structure.


Domain is one of the major units of the logical structure in Active Directory. Domain allows you to store objects.

Objects stored in the domain are those that we consider necessary in our network. Objects are items that support functioning of the organization:



Email addresses



Other resources

All facilities are within the domain, and each domain stores information only about the objects it contains.

Active Directory consists of one or more domains. Domain can be extended to more than one physical location.

Organization Unit (OU)

Organization Unit is a component used to organize the objects in the domain of logical administrative group.

OU is helpful in performing everyday administrative tasks, such as administering user accounts.

OU is the smallest area to which we can assign the administrative authority.

OU can contain user accounts, groups, computer accounts, printers, applications, shared files, and other organizational units within the same domain.

OU hierarchy, which we'll use the domain hierarchy is independent of the OU in another domain - each domain can have its own independent hierarchies OU.

Active Directory Administrator is responsible for creating a hierarchy corresponding to the need for the company.


Tree is called the grouping or hierarchical arrangement of one or more domains that we get by adding one or more sub-domains (Child Domain) to an existing parent domain.

Domains in the hierarchical tree structure are divided into naming.

In accordance with the standards of the DNS Domain name refers to the child domain to parent domain name.

For example, for the parent domain child domains are:

In addition, a child domain for a domain: can be:

Through the use of trees can be safe and assign the administration of individual organizational units and individual domains to different administrators.

The tree structure can be easily changed to meet business needs.

The person responsible for creating the structure meets the company's foundation is an administrator.


Forest is a group or hierarchical arrangement of one or more completely independent domain trees. Forest has the following characteristics:

All domains in a forest share a common schema

All domains in a forest share a common global directory

Trees in the forest have a different naming structure, in accordance with the domain

The domains in the forest work independently, but allow the forest in the area of communication throughout the organization

All domains in the forest are connected

Recommendations for the administration of Active Directory Windows Server 2008


The main requirements on the server side and client:

Server - running Windows Server 2008 / 2008 R2, which will assume the role domain controller

Client - Windows XP/Vista/7

Important: Systems in the Home version does not have the capability to connect it to a domain. Such systems can benefit from shared files on domain controllers or member servers, but you cannot manage them from DC.

When you design and deploy AD DS you have to consider that AD logical structure allows you to organize and integrate elements well, such as:

Group Policy

Desktop lockdown

Software distribution




Server administration

Well-designed logical structure also makes easy the integration of Microsoft and non-Microsoft software and services, such as Microsoft Exchange Server, public key infrastructure (PKI), and a domain-based distributed file system (DFS).

Security for user accounts

The user account should be defined for each person regularly uses the organization's network. The user account holder can log on into the domain.

The data used in the login process, is used for control access to network resources. User account is identified also as security principals - directory objects that are automatically assigned security identifier (SID) that are used for access network resources.

Every user who wants to use computer resources must first be authenticated in the domain. It receives from the administrator user name and password, which will serve him to log into the system.

If a network administrator has not modified permissions built-in accounts, they may be used by another user (or service) in order to unauthorized a domain logon. This user can log on using an Administrator or Guest account. A good method to protect these accounts is to change the account names and exclusion.

In this case, the user account retains Security Identifier (SID) and all other properties, such as name, password, group membership, user profile, account information and any assigned permissions and user rights.

The use of accounts and groups to your network provides the ability to identify users who log on to the network and to obtain their access to only authorized resources.

The password should be strong and known only by the user and not given to others, because only on this basis, it is verified and given access to only those resources for which the user is entitled.

You should use Fine Grained Password Policy and Account lockout to protect the domain against attacks. Strong passwords can to reduce risk of password cracking by smart dictionary attacks.

Kerberos allows you for password encryption. Kerberos is the default authentication protocol when you log into the Active Directory Domain Services for clients running Windows 2000 or later.

It is based on the assumption that traffic between the client and the server is sent over an insecure network. This means that the user's password is never transmitted in clear text, which is readable to all types of network sniffers.

Account Lockout Policy to reduce the probability of burglary in August to the domain.

Account Lockout Policy determines the number of failed attempts to log on using a user account that is allowed before the account will be blocked.

Below are the settings associated with configuration passwords, and specific information related to security of user accounts. Systems administrator can manage user accounts, passwords options. These options can be configured when you create a user account or in the Account Properties the dialog box:

User must change password at next logon - this option is used when a new the user logs on to the system for the first time or in the case of resetting forgotten passwords, an administrator at the request of users.

User cannot change password - this option should be used when it is necessary to monitor changes in user account password. Option is used when an administrator manages the account such as a guest or temporary account.

Password never expires - with this option, you can prevent the password expires. To ensure the best protection, you must stop using this option.

Store password using reversible encryption - this setting allows you log on to the MS Windows network users of Apple computers.

Account is disabled - using this feature, you can prevent users log in using your account. This option is useful for accounts that are templates or for users who will not be for a long time to use their account.

Smart Card is required for interactive logon - this setting requires that when user log on into the network, must use the smart card. Password is automatically generated;

Account is sensitive and cannot be Delegated - This setting gives you control over your user account, for example, the guest account or a temporary account. You can use this option if the account should not be delegated by the other account.

It is worth to mention about Group Policy. Group Policy settings are stored in the GPOs. It is possible to use several GPOs to a single location or the domain.

Rule applied to to parent object is passed down to child objects. So, if we apply the principle for the domain, this setting applies to all OU within this domain.

We can also apply the rules for a particular object, thus bypassing the rule succession. Group Policies are divided into two main categories:

Rules for the computers - which are launched on start up

Rules for users - used in the login process.


Is it worth to implement Active Directory?

Certainly many novice administrators and IT professionals within their companies ask themselves this question.

Most depends on how large and complex is our environment. If it is only a few or several computers, you may consider whether the cost of such implementation will not be too high for us.

However, when the number of hosts is counted in tens, then the choice is obvious.

In this way we are able to more effectively manage the settings of computers, users, groups, printers, shared folders and it's all in one place.

We have the assurance that each computer is configured according to a specified schema.

Tasks of the administrator in case of preparation of the new jobs are kept to a minimum. Group Policy Object is responsible for everything.

Benefits of using Active Directory can be summarized as follows:

Centralized management of IT infrastructure

Automatic installation and update software in the company

Single authentication - the user at login, enter only once a user name and password, then given access to all data, which has permissions, without having to enter credentials each time, making it possible to increase employee productivity

Reducing the cost of managing accounts

Reducing the number of reports of failures and problems