This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
Active directory is a repository for information about objects residing in a network. The objects may be in form of users, computers, printers and files. When Active Directory is in default, it supports numerous attributes for each object class that is used to store information. In addition, Access Control Lists are stored with each object thus allowing or denying permission to userâ€™s access to manage the object. Windows Server 2003 was created so that improvements could be added on security, manageability and scalability which did not exist in the previous Windows 2000 Server.
The Active Directory can be used by users to get information about any object such as a printer. In a large organization with large amounts of data, this task may seem tedious when one is supposed to import data in to Active Directory and manage it. This however has been by Application Programming Interfaces that facilitate programmatic data management. In an Active Directory, data is stored in a hierarchical order that is similar to a file system. Each entry in ii is referred to as an object with objects being subdivided in to either container or non-containers also known as nodes. In order to uniquely identify these objects, a Globally Unique Identifier (GUID) is assigned to the whole system. GUID is hard to remember and hence an alternate method of identification called Distinguished Name is used. Distinguished Names are represented using syntax and rules.
Active Directory has a logical structure that is built around the concept of forest, tree and domains. A domain is composed of a name that serves as a unique identifier (DNS) and an X.500 based hierarchical structure of objects. A tree is a collection of one or more domains that are linked in a trust hierarchy. A forest is a collection of trees sharing global catalog, logical structure, directory schema and configuration. The forest dictates the security boundary by which objects, groups, computers and users can be accessed.
Active Directory accomplishes security by using built-in logon authentication and user authorization. Authentication is the process of requiring confirmation of the identity of a user before allowing access to a network. Under this setting, users provide a single log in to the domain which upon confirmation allows access to the network. Active Directory supports various protocols and mechanisms that are used to proved identity of a user. These protocols are Internet based and include Kerberos V5, smart cards, X.509 v3 and public key infrastructure. For an authentication to occur trust is paramount and it helps a relationship to exist between the domain and the domain controller on either end. It is not enough for an authentic user to access all information and this is limited by the user rights which the Active Directory further imposes. This is the authorization process and it entails granting or denying access to users or groups of user according to levels. Securing the Active Directory begins with ensuring physical security is in place. This means that measures be put in place to know who and who not to share physical administrative passwords with. Servers also should be places that are not accessible to everybody.
Active Directory uses trusts to allow users in one domain to access resources in another domain. When domains are created, trusts are created automatically in a forest. In Windows Server 2003, establishing trusts is easy between forests. It is these trusts that an administrator can grant access to resources whether they are local or foreign. The single forest environment is easy to manage unlike a multiple one although there is added security in multiple forest environments. In either case, it is important to be careful when creating trusts between forests in Windows Server 2003. This is achieved by allowing inter-forest trust to be created at the root level only and not allowing transitive relations. Another way to accomplish more security is to create external trusts which are non-transitive since they apply to only the domains they are restricted to (Desmond, et al. 2008).
After installing Windows Server 2003, running the Active Directory wizard will help in setting up security features and this is when the first forest or domain is created. The CD ROM or DVD ROM that comes with Windows Server 2003 is inserted and by clicking the Start button and then Run, dcpromo is typed. The wizard starts to run and one is prompted whether to create a Domain controller for a new domain after clicking Next.
The next procedure is to assign a DNS name for the new domain and set the database and sysvol file locations to default. Click Install and configure the DNS Server and continue by allowing Permissions compatible with Windows 2000 or Windows 2003. A secure password is then set and confirmed after which the installation proceeds. After installation is complete, restart the computer for the settings to apply and confirm if really a domain has been set using the DNS Administrative Console.
In order to add users to the Active Directory, user accounts must be created by clicking Start, Administrative Tools, Active Directory and then Users and Computers. Click on the domain name previously created and then expand up to Users. By right clicking, choose New and click on User. Type the names of the user and click Next to assign passwords. Under the password, there are various options but the recommended one allows the user to customize his password later. Click Next and then Finish. Once the new user has been created successfully, authorization takes place in the form of assigning membership and this is achieved by right clicking on the properties of the new user. Click Add on the Members Of tab and specify the group under Select groups. This is repeated for each user and clicking Ok at the end.
The final step is to add a member server to the domain. To achieve this log on to the computer you wish to add to the domain and right click on My Computer. Click on Properties, Computer Name tab and then Change. In the Computer Name Changes dialog box, click Domain under Member Of and type the domain name. Click Ok and if prompted supply the user name and password created earlier. Finish by clicking Ok and the domain is created and if prompted to restart the computer, do so.
In conclusion, these steps can be performed many times over by the Administrator to ensure security is not compromised by users sharing passwords or trust is not effective amongst relating domains (Microsoft Support, web).