Why is the organization need Active Directory? Best Practices Active Directory Active Directory Main

this wizard will display the final window and the work is almost complete, it will also remain to wait for the completion of the master (this is quite a large period, as a significant work will be made to create AD).

After our first domain controller is established, screaming "hurray" is a bit premature. After completing the DCPROMO wizard, we will be prompted to restart the controller. First, after rebooting, we will no longer see the profiles of local user accounts. This means that if our favorite soundtrake lay in the "My Music" folder, then it is no longer anywhere ... But it may be so sad, if you pre-save our data separately.

The controller is restarted and begins to run the first launch in the new capacity. What's happening:

Based on the NTDS.dit template from the% Systemroot% \\ System32 directory is formed by the Active Directory base (in the% Systemroot% \\ Ndts directory, for example, the RES1.LOG and RES2.log files will appear, which weigh 10 megabytes and simply occupy a place that later in the case The lack of free space "will be deleted" by increasing the NTDS.DIT; the EDB.LOG transaction file (and the like; EDB.chk checkpoint file used in accordance with the transaction file to reproduce the transaction if necessary; at the end of the work DCPROMO still will appear DCPROMOUI.log execution files, dcpromo.log, netsetup.log, dcpromos.log in the% Systemroot% \\ Debug catalog);

A new account is created (and a new SID security identifier) \u200b\u200bof the administrator, etc. Standard records of the directory service;

Netlogon and sysvol resources are created;

Some services are changing the startup parameters from "manually" in "Automatically";

The time service performs synchronization with an external source (in our case, synchronization is not with anyone, but still it is necessary to know that the time is syronted by the controller with the PDC role (now it is naturally on a single controller) by the NET Time / SetSNTP command:<список серверов точного времени>).

Note. Installation can also be produced with DCPROMO / ANSWER key:<файл ответов>but do it without experience for the first time I do not recommend.

Not only will the controller be started to start "slowly", so even after logging in, I recommend making a pause for 30 minutes, at that time the controller will be configured to configure the DNS and the directory service, as well as intrastall replication.

What to do then:

View event log In search of errors, try to find out the reason and eliminate (remember the logs of logs specified slightly above, they will also be useful);

Check that all services with the startup parameter "automatically" are running;

Unnecessary services (very carefully and carefully) can be transferred to the "manually" status and stop;

Check TCP / IP settings and DNS service.

But we will not be afraid. After all, this program simply creates a "virtual iron". That's so difficult and at the same time I simply made a definition. What does it mean?

Yes, anything means. The main thing is that it is necessary to put a mentally in my head that we have a certain number of computers common by the way to the network using network devices by replacing the program !!! those. We simulate this iron using the program. AS? WHAT FOR? and why?

Honestly, here our enemy becomes our habits and ideas. I was at first it was difficult to "enter", and for what computer I sit. Yes, yes, do not laugh :)))

WHY...

to use this program (this is my opinion) I decided to no longer, because there are analogs, for example, Microsoft recently acquired the company Connectix, which was engaged in the developments of the VMware analogue and now performs on the market with the VirtualPC program, but the promises are not supported by Linux. I will leave without comment. Other competitors () also have the disadvantages that they turned out to be a decisive factor in the choice of "I want everything" :)

I strongly recommend visiting the website www.twoostwo.ru, dedicated to virtual machines and operating system emulators, where you can get comprehensive information of a review nature, the features of a program or another program, to understand the difference between the emulation of iron and the operating system emulation in the end.

WHAT FOR...

in general, it is possible to use this program in too many cases, I will only say that I will come up with:

Novice: get skills in installing operating systems, and you can different, and ... at the same time :)));

Users: Ability to check the settings of programs and systems without compromising iron;

Developers: Create code and port for various systems, transfer data;

System administrators and engineers: design networks (in particular, how to build a two-zone cluster on a portable or desktop computer.) And prepare for certification exams;

Safety specialists: to the detriment of speed, you can install the program on the encrypted disk, then you can hide important secret programs as such, you can also create false hosts.

other applications can come up with yourself ... :)

AS

since this article is not dedicated to the features of VMware, especially since this is already there, I will tell you about the principle of use.

first step, we must create a virtual machine, where we indicate which iron will be stuffed, special attention to the network cards (Bridge ", i.e. bridge allows you to use" together "with the main operating system the same network card;" host-novel "- allows Create a virtual network connection between the main and virtual machines; "NAT" - allow you to organize NAT-broadcast external IP addresses into internal)

last, install the drivers, they will not be from the real machine, but from VMware.

Program: VMWare Workstation 4.5.1-768

Description: Allows, working in a single operating system (for example - Windows XP), simultaneously work in Windows 2000, Windows NT, Windows 9 *, FreeBSD or Linux - without having to highlight individual partitions for operating systems and restart the computer when switching from one OS to another.

License: Shareware.

Platforms: Windows, Unix

Download Windows version
Download Linux version

Annex to the article. Domain Name Service (DNS) in Active Directory

Let me remind you in two words that the domain name service organizes the resolution of domain names into the corresponding IP addresses and is a distributed database. Data on domains and hosts belonging to them, forming DNS namespace, are not concentrated in one place, and stored in the form of fragments on separate servers, which makes it possible to talk about the DNS database distribution.

In the Windows 2000 operating system, the DNS service is carried out (may not be done :-) Dynamic registration of customers of their domain names, which will significantly simplify the administration of such bases that are still called calling zones.In Windows 2000, we can implement the placement of the zone within the Active Directory (AD) directory service, which gives an increase in fault tolerance, availability and manageability of the service. Many mechanisms that use AD also cannot do without DNS. The bottom line is that the "localization" of the nearest server will say a global directory (GC) based on a special type of resource records, called resource locators, or as indicated by - SRV records.

These records are used to determine the location of servers that provide services for certain services. SRV record It is a "synonym", or also say the DNS-pseudonym service. This is written so:
_Service._protocol.dnsdomainname.
Where:
Service. - service name (it can be Kerberos, GC, LDAP, etc.)
Protocol - Protocol, with which clients can connect to this service (usually TCP, UDP);
DNSDOMAINNAME. - DNS name of the domain to which the server owns (in our case Songi.Local).

For each DNS domain, a set of SRV records are formed, which are grouped into special subdomains:

_MSDCS - auxiliary domain that is used to group resource records on servers performing specific roles (such as a global directory server or the main domain kitter).

Thanks to this, clients can search for servers based on the service name, but on the role executed by the desired server. The pseudonyms used to create resource records of this subdomain will look like this:
_Service._protocol.dctype._msdcs.dnsdomainname.
The dCType parameter determines the server role (PDC, DC, GC, DOMAINS). For example, the servers performing the functions of the Domain Cotroller and belonging to the Songi.Local domain will be created by DNS pseudonym:
_Ldap._tcp.dc._msdcs.songi.local
_Sites.- Auxiliary domain used to group resource records reflecting the physical structure of the network (from the point of view of the nodal infrastructure).

This domain performs the function of the container for other subdomains whose names correspond to the names of the nodes. Pseudonyms are recorded in the following format:
_Service._protocol.sitename._sites.dnsdomainname.
When the DNS server appeals, the query includes all the information you need (such as the name of the service, protocol, domain name). The DNS service primarily tries to find a domain controller in the database belonging to the same node as "requesting" the desired service. For this, the DNS service brings out all SRV records associated with this node. If in this node the search is unsuccessful, the DNS service begins to view the records of other nodes.

Actually, the listed entries of services do not have to do to us manually, when installing the first domain controller, the domain will be created automatically. However, the understanding of these records is important! Now imagine a very unlikely situation, but still: some records are incorrectly changed manually, or accidentally erased at all. This is not a reason to panic. Netlogon service is responsible for the formation of records. On the command line we give only two teams:

net Stop Netlogon.

net Start Netlogon.

By restarting the service, our records will be automatically created! Of course, if in the domain there were records of client machines (A-records) for example, they will have to be restored separately. But it suffices to use the automatic distribution of DHCP addresses, as this problem will also be easily solved.

Active Directory - Microsoft Catalog directory service for Windows NT family.

This service allows administrators to use group policies to ensure uniformity of user work environment settings, installation software, updates, etc.

What is the essence of the work of Active Directory and what tasks does she decide? Read on.

Principles of the organization of peer-to-man and multipart networks

But another problem arises that if User User2 on PC2 decides to change your password? Then if the user1 user will change the account password, USER2 access to the RS1 will be impossible to the resource.

Another example: we have 20 workstations with the 20th accounts that we want to provide access to someone, for this we must create 20 accounts on the file server and provide access to the required resource.

And if there are not 20 A 200?

As you understand the network administration, with this approach, turns into a pitch blood pressure.

Therefore, the approach using working groups is suitable for small office networks with a PC number of no more than 10 units.

If there are more than 10 workstations in the grid, the approach is rationally justified, in which one node of the network delegates the rights of authentication and authorization.

This node is the domain controller - Active Directory.

Domain Controller

The controller stores the account database, i.e. It stores account and for PC1 and for PC2.

Now all accounts are prescribed once on the controller, and the need for local accounts loses meaning.

Now that the user enters the PC, entering your username and password, these data are transmitted in a closed form to the domain controller, which performs authentication and authorization procedures.

After the controller issues the user who has input, something like a passport with which it works in the future and which it places on the request of other computers of the grid, servers to whose resources he wants to connect.

Important! The domain controller is a computer with a raised Active Directory service, which manages user access to network resources. It stores resources (for example, printers, shared folders), services (for example, email), people (user accounts and user groups), computers (computers accounts).

The number of such saved resources can reach millions of objects.

The following MS Windows versions can be played as a domain controller: Windows Server 2000/2003/2008/2012 except Web-Edition.

The domain controller is beyond what is the center of network authentication, is also a control center for all computers.

Immediately after turning on the computer begins to access the domain control, long before the authentication window appears.

Thus, it is possible to authenticate not only the user entering the username and password, but also authenticating the client computer.

Installing Active Directory.

Consider an example of installing Active Directory on Windows Server 2008 R2. So to install the Active Directory role, go to the "Server Manager":

Add the role of "Add Roles":

Select the role of Active Directory Domain Services:

And proceed to the installation:

After that we get the notification window, about the set role:

After installing the role of the domain controller, proceed to install the controller itself.

Click "Start" in the program search field We enter the name of the DCPROMO wizard, run it and put a tick for advanced settings:

We click "Next" from the proposed options, choose the creation of a new domain and forest.

Enter the domain name, for example, Example.net.

We write Netbios domain name, without zone:

Select the functional level of our domain:

In view of the features of the functioning of the domain controller, you also install a DNS server.

Location of the database, log file, system volumes are left unchanged:

We enter the domain administrator password:

Check the correctness of the fill and if everything is in order with the "Next".

After that, the installation process will go, at the end of which the window will appear, which reports on a successful installation:

Introduction to Active Directory

The report discusses two types of computer networks that can be created using Microsoft operating systems: WorkGroup and Active Directory Domain.

Active Directory-Extended and Scalable Active Directory Directory Service (Active Catalog) allows you to effectively manage network resources.
Active Directory. - This is a hierarchically organized data storage about network objects, providing convenient tools for searching and using this data. A computer on which Active Directory works is called a domain controller. Almost all administrative tasks are connected with Active Directory.
Active Directory technology is based on standard Internet protocols and helps to clearly define the network structure, in more detail how to deploy from zero domain Active Directory read here ..

Active Directory and DNS

In Active Directory, a domain name system is used.

Administer Active Directory.

With the help of the Active Directory service, computers are created, they are connected to the domain, computers are controlled, domain controllers and organizational units (OP).

Administration and support are designed to manage Active Directory. The tools listed below are implemented and the form of the MMS console snap-in (Microsoft Management Console):

• Active Directory Users and Computers (Active Directory Users and Computers) allows you to manage users, groups, computers and organizational divisions (OP);
• Active Directory Domains and Trusts (Active Directory Domains and Trusts) serves to work with domains, domain trees and domain forests;
• Active Directory Sites and Services (Active Directory Site and Services) allows you to manage sites and subnets;
• RESULTANT SET OF POLICY) is used to view the current user or system policy and to plan changes in policies.
• Microsoft Windows 2003 Server You can access these snaps directly from the Administration menu (Administrative Tools).

Another administration tool is a snap-in schematic directory (Active Directory Schema) - allows you to control and modify the directory scheme.

Active Directory Command Line Utilities

To manage Active Directory objects, there are command line tools that allow a wide range of administrative tasks:

• DSADD - adds computers, contacts, groups, OP and users to Active Directory.
• DSGET - Displays the properties of computers, contacts, groups, op, users, sites, subnets and servers registered in Active Directory.
• DSMOD - changes the properties of computers, contacts, groups, op, users and servers registered in Active Directory.
• DSMOVE - Moves a single object to a new location within the domain or renames an object without moving.
• DSQXJERY - Search computers, contacts, groups, op, users, sites, subnets and servers in Active Directory for specified criteria.
• DSRM - Removes an object from Active Directory.
• NtdSutil - allows you to view information about the site, domain or server, manage operations of operations (Operations Masters) and maintain the Active Directory database.

The domain is the main administrative unit in the network infrastructure of the enterprise, which includes all network objects, such as users, computers, printers, shared resources, etc. The aggregate (hierarchy) of domains is called forest. Each company may have an external and internal domain.

For example, the site is an external domain on the Internet, which was purchased from the virus registrar. In this domain there is our Web site and mail server. Lankey.local is an Active Directory Domain Service Domain, which hosts user accounts, computers, printers, servers and corporate applications. Sometimes external and internal domain names are made the same.

Microsoft Active Directory has become the standard of the Single Catalog of the Enterprise. Active Directory Domain has been introduced in almost all companies in the world, and in this market, Microsoft has almost no competitors left, the share of the same Novell Directory Service (NDS) is negligible, and the remaining companies are gradually migrating on Active Directory.

Active Directory is a distributed database that contains all domain objects. Active Directory's domain environment is a single point of authentication and authorization of users and applications across the enterprise. It is from the organization of the domain and deploying Active Directory begins building an IT infrastructure of the enterprise. Active Directory database is stored on dedicated servers - domain controllers. The Active Directory service is the role of Server Operating Systems Microsoft Windows Server. At the moment, Lanka is introduced by Active Directory domains based on the Windows Server 2008 R2 operating system.

Deploying the Active Directory directory service compared to the Workgroup (Workgroup) gives the following advantages:

• Unified point of authentication. When computers work in the working group, they do not have a single user database, each computer has its own. Therefore, by default, none of the users have access to the network to another user or server. And, as you know, the meaning of the network is just that users can interact. Employees require joint access to documents or applications. In a working group on each computer or server, you will have to manually add a complete list of users who need network access. If suddenly, one of the employees will want to change their password, it will need to be changed on all computers and servers. Well, if the network consists of 10 computers, but if there are 100 or 1000, then the use of the working group will be unacceptable. When using the Active Directory Domain, all user accounts are stored in a single database, and all computers turn to it for authorization. All domain users are included in the relevant groups, for example, "Accounting", "Frames", "Financial Department", etc. It is enough to ask permissions once for certain groups, and all users will receive appropriate access to documents and applications. If a new employee comes to the company, the account is created, which is included in the relevant group, and that's it! After a couple of minutes, the new employee gets access to all network resources to which it must be allowed to access, on all servers and computers. If an employee is dismissed, it is enough to block or delete its account, and it will immediately lose access to all computers, documents and applications.
• Unified Policies Management Point. In a peer-to-peer network (Workgroup), all computers are equal. None of the computers can manage others, all computers are configured in different ways, it is impossible to control neither compliance with uniform policies or security rules. When using a single Active Directory directory, all users and computers are hierarchically distributed by organizational units, each of which use uniform group policies. Politicians allow you to set uniform settings and security settings for a group of computers and users. When adding a new computer or user to the domain, it automatically receives settings that match the accepted corporate standards. Also using policies can be centrally assigned to users network printers, set the necessary applications, set Internet browser security settings, configure Microsoft Office applications, etc.
• Integration with corporate applications and equipment. The big advantage of Active Directory is a LDAP standard that is supported by hundreds of applications, such as mail servers (Exchange, Lotus, MDaemon), ERP Systems (Dynamics, CRM), proxy servers (ISA Server, Squid), etc. And this is not Only applications under Microsoft Windows, but also servers based on Linux. The advantages of such integration is that the user does not need to remember a large number of logins and passwords to access a particular application, in all applications the user has the same credentials, because Its authentication occurs in a single Active Directory directory. In addition, the employee is not required to enter your username and password several times, just when you start the computer once log in, and in the future the user will automatically authenticate in all applications. Windows Server to integrate with Active Directory provides RADIUS protocol, which is supported by a large number of network equipment. Thus, it is possible, for example, to ensure the authentication of domain users when connecting to the Cisco router by VPN.
• Unified application configuration storage. Some applications store their configuration in Active Directory, such as Exchange Server or Office Communications Server. Deploying the Active Directory directory service is a prerequisite for the operation of these applications. Also in the directory service, you can store the DNS domain name server configuration. Storing the configuration of applications in the directory service is advantageous from the point of view of flexibility and reliability. For example, in the case of the complete failure of the Exchange server, its entire configuration will remain untouched, because Stored in Active Directory. And to restore the health of corporate mail, it will be enough to reinstall the Exchange server in recovery mode.
• Increased level of information security. Using Active Directory significantly improves network security. First, this is a single and protected storage of accounts. In a peer-to-peer network, user credentials are stored on the local database of accounts (SAM), which theoretically you can hack, carved the computer. In the domain environment, all passwords of domain users are stored on dedicated domain controllers servers, which are usually protected from external access. Secondly, when using a domain environment for authentication, the Kerberos protocol is used, which is significantly safer than NTLM, used in working groups. In addition, you can use two-factor authentication using smart cards to enter the system. Those. For an employee to have access to a computer, it will be necessary to enter your username and password, as well as insert your smart card.

Scalability and fault tolerance of the Active Directory directory service

Microsoft Active Directory directory service has extensive scaling options. In the Active Directory forest, more than 2 billion facilities can be created, which allows you to implement directory services in companies with hundreds of thousands of computers and users. The hierarchical structure of domains allows you to flexibly scale the IT infrastructure on all branches and regional divisions of companies. For each branch or division of the company, a separate domain can be created, with its own politicians, their users and groups. Administrative authority to local system administrators can be delegated for each subsidiary domain. At the same time, the daughter domains are obeyed by the parent.

In addition, Active Directory allows you to customize the trust relationship between domain forests. Each company has its own domain forest, each of which has its own resources. But sometimes it is necessary to provide access to their corporate resources to employees from partner companies. For example, with participation in joint projects, employees from companies partner can work together with general documents or applications. To this end, confidential relations can be configured between forests of organizations, which will allow employees from one organization to authorize in the domain of another.

The fault tolerance of the directory service is provided by deploying 2 or more servers - domain controllers in each domain. There is an automatic replication of all changes between domain controllers. In case of failure of one of the domain controllers, the operation of the network is not violated, because The remaining remains. An additional level of fault tolerance provides the location of the DNS servers on the domain controllers in Active Directory, which allows each domain to get several DNS servers serving the main domain zone. And in case of failure of one of the DNS servers, the remaining works will continue to work, and they will be available, both reading and on the record, which cannot be provided using, for example, DNS BIND server based on Linux.

Advantages of switching to Windows Server 2008 R2

Even if your company has already been deployed by the Active Directory directory service based on Windows Server 2003, then you can get a number of advantages by clicking on Windows Server 2008 R2. Windows Server 2008 R2 provides the following additional features:

The domain controller is read only by RODC (read-only Domain Controller). Domain Controllers Store user accounts, certificates and many other confidential information. If the servers are located in protected CDA, then the safety of this information can be calm, but what to do if the Domain Kotroller is in the branch in a publicly available place. In this case, there is a possibility that the server will decoke the attackers and hack it. And then use this data to organize the attack on your corporate network, in order to theft or destruction of information. It is to prevent such cases in the branches that the domain controllers are installed only for reading (RODC). First, RODC controllers do not store user passwords, but only cache them to speed up access, and secondly, they use one-sided replication, only from central servers to a branch, but not back. And even if the attackers wake up the RODC domain controller, they will not receive user passwords and cannot cause damage to the main network.

Restore remote Active Directory objects. Almost every system administrator faced the need to restore the accidentally remote user account or a whole group of users. In Windows 2003, it was necessary to restore the directory service from the backup, which was often not, but even if she was, the recovery occupied quite a long time. Windows Server 2008 R2 has a basket of Active Directory. Now when you delete a user or computer, it enters the basket, from which it can be restored in a couple of minutes within 180 days while maintaining all the initial attributes.

Simplified management. In Windows Server 2008 R2, a number of changes were made significantly reduced the load on system administrators and facilitating the management of IT infrastructure. For example, such tools appeared as: Audit Active Directory Changes, showing who, what and when changed; Password complexity policies are attributed at the level of user groups, previously it was possible to make only at the domain level; new user management and computers; Policy templates; Management using the PowerShell command line, etc.

Implementing Active Directory directory service

Active Directory directory service is the heart of the IT infrastructure of the enterprise. In the event of its failure, the entire network, all servers, the work of all users will be paralyzed. No one can enter the computer, access its documents and applications. Therefore, the directory service should be carefully designed and deployed, taking into account all possible nuances. For example, the structure of sites should be based on the physical network topology and channel bandwidth between branches or company offices, because From this directly depends on the speed of user login into the system, as well as replication between domain controllers. In addition, based on the topology of Exchange Server 2007/2010 sites, mail is routed. You also need to correctly calculate the number and location of the global directory servers that store the lists of universal groups, and many other frequently used attributes of all forest domains. That is why companies lay tasks for the implementation, reorganization or migration of the Active Directory directory service on system integrators. Nevertheless, it is necessary not to be mistaken when choosing a system integrator, it should be verified that it is certified for this type of work and has the relevant competencies.

Lanka is a certified system integrator and has the Microsoft Gold Certified Partner status. Lanka has the competence of Datacenter Platform (Advanced Infrastructure Solutions), which confirms our experience and qualifications in matters related to the deployment of Active Directory and the implementation of Microsoft server solutions.

All work in projects perform certified Microsoft MCSE engineers, McITP, which have rich experience in large and complex projects on building IT infrastructures and implement Active Directory domains.

Lanci will develop an IT infrastructure, expand the Active Directory directory service and will provide the consolidation of all available resources of the enterprise into a single information space. The implementation of Active Directory will help reduce the cumulative cost of ownership of the information system, as well as improve the efficiency of sharing shared resources. Lanka also provides services for migrating domains, combining and separating IT infrastructures in mergers and acquisitions, maintenance and support of information systems.

Examples of some projects for implementing Active Directory, implemented by Lanka:

Customer	Description Description
	In connection with the execution of a transaction for the purchase of 100% of the shares of Sibur-Mounty Frames, OJSC (subsequently renamed OJSC "SDS-Azot") of the Siberian Business Union Holding Companies in December 2011, there was a need to separate the IT infrastructure of OAO -Azot "from the network holding SIBUR. Lanci migration made a migration of the Active Directory directory service of the Sibur-Mountal Fraining Division from the SIBUR Holding Network to a new infrastructure. User accounts, computers and applications were also transferred. According to the results of the project, a thanks received from the Customer.
	In connection with the restructuring of the business, the Active Directory directory service was deployed for the central office and 50 Moscow and regional shops. The directory service provided a centralized equation by all enterprise resources, as well as authentication and authorization of all users.
	Within the framework of an integrated project to create an IT infrastructure of the enterprise, Lanci has completed the Active Directory domain for the management company and 3 regional divisions. A separate site was created for each branch, each site was deployed 2 domain controller. Certificate services were also deployed. All services have been deployed on the virtual machines running Microsoft Hyper-V. The quality of the work of the company Lanka was marked with a review.
	As part of a comprehensive project to create a corporate information system, an Active Directory directory service was deployed based on Windows Server 2008 R2. The system was deployed using server virtualization technology running Microsoft Hyper-V. The directory service provided uniform authentication and authorization of all employees of the hospital, and the tag provided the operation of applications such as Exchange, TMG, SQL, etc.
	The Active Directory directory service is made on the Windows Server 2008 R2 database. In order to reduce costs, the installation is manufactured in the system of server virtualization based on Microsoft Hyper-V.
	Within the framework of a comprehensive project to create an IT infrastructure of the enterprise, a directory service on Windows Server 2008 R2 was deployed. All domain controllers were deployed using the Microsoft Hyper-V server virtualization system. The quality of work is confirmed from the customer feedback.
	In the shortest possible time, the performance of the Active Directory directory service is restored in the situation critical for business. Specialists "Lanka" just a couple of hours restored the performance of the root domain and wrote the instructions for recovering replication 80 branch units. For the efficiency and quality of work from the Customer was reviewed.
	As part of an integrated project for creating an IT infrastructure, Active Directory domain based on Windows Server 2008 R2 was deployed. The performance of the directory service was provided using 5 domain controllers deployed on a cluster of virtual machines. The backup of the directory service was implemented using Microsoft Data Protection Manager 2010. The quality of the work is confirmed by the review.
	As part of a comprehensive project to build a corporate information system, an Active Directory Service Directory service is deployed based on Windows Server 2008. The IT infrastructure was built using the Hyper-V virtualization. After the project is completed, a contract for further maintenance of the information system was concluded. Questioned work is confirmed by review.
Oil and gas technology	As part of an integrated project to create an IT infrastructure, a single Active Directory directory on the Windows Server 2008 R2 database is deployed. The project was completed for 1 month. After the completion of the project, a contract for further maintenance of the system was concluded. The quality of work is confirmed by the review.
	The Active Directory is made based on Windows Server 2008 as part of the Exchange Server 2007 project.
	The Active Directory directory service is reorganized based on Windows Server 2003 before implementing Exchange Server 2007. Work quality is confirmed by review.
	The Active Directory directory service is made on the Windows Server 2003 R2 database. After completion of the project, a contract for further maintenance of the system was concluded. The quality of work is confirmed by the review.
	Active Directory is made based on Windows Server 2003. After the project is completed, the contract was concluded for further support of the system.

Annotation: This lecture describes the basic concepts of Active Directory directory services. Practical examples of network security management. The group policy mechanism is described. An idea of \u200b\u200bthe tasks of the network administrator when managing the directory service infrastructure

Modern networks often consist of a variety of different software platforms, a wide variety of equipment and software. Users are often forced to memorize a large number of passwords to access various network resources. Access rights may be different for the same employee depending on what resources it works. All this set of relationships requires an administrator and a user of a huge amount of time to analyze, memorizing and learning.

Solving the problem of management such a heterogeneous network was found with the development of the directory service. The directory services provide the ability to manage any resources and services from anywhere regardless of the size of the network used operating systems and equipment complexity. The user information is entered once to the directory service, and after that it becomes available within the entire network. Email addresses, accessory to groups, the necessary access rights and accounts for working with various operating systems - all this is created and maintained up to date automatically. Any changes recorded in the administrator directory are immediately updated across the network. Administrators no longer need to worry about dismissed employees - simply removing the user account from the directory service, it will be able to guarantee the automatic removal of all access rights to the network resources provided earlier than this employee.

Currently, most directories of different firms are based on the standard X.500. To access the information stored in the directory services, the protocol is usually used. (LDAP.). Due to the rapid development of TCP / IP networks, the LDAP protocol becomes the standard for directory services and applications focused on the use of the directory service.

Catalog service Active Directory is the basis of the logical structure of corporate networks based on the Windows system. Term " Catalog "In the broadest sense means" Directory ", but catalog service The corporate network is a centralized corporate directory. A corporate directory may contain information about the objects of various types. Catalog service Active Directory contains primarily objects on which the Windows network security system is based - user accounts, groups and computers. Accounts are organized in logical structures: domain, wood, forest, organizational units.

From the point of view of studying the material of the course "Network administration"The following variant of the training material is quite possible: first examine the first part of this section (from the basic concepts before installing the domain controllers), then go to" File and Print Service ", and after studying" File and Print Service "Back to" Active Directory Service Directory "To explore more complex concepts of directories.

6.1 Basic terms and concepts (forest, wood, domain, organizational division). Planning the AD namespace. Installation of domain controllers

Security Management Models: Model "Working Group" and a centralized domain model

As mentioned above, the main purpose of directory services is to manage network security. Network Security Basis - Accounts Database (Accounts) Users, User Groups and Computers, with which access to network resources is managed. Before talking about the Active Directory directory service, we compare two models for building directory service database and resource management.

Model "Working Group"

This corporate network security management model is the most primitive. It is intended for use in small peer networks (3-10 computers) and is based on the fact that each computer on the network with Windows NT / 2000 / XP / 2003 operating systems has its own local account database and using this local database access to the resources of this computer. Local database of accounts is called database Sam (Security Account Manager) And stored in the registry of the operating system. Databases of individual computers are completely isolated from each other and are not interconnected.

An example of access control using such a model is depicted in Fig. 6.1.

Fig. 6.1.

In this example, two servers are depicted (SRV-1 and SRV-2) and two workstations (WS-1 and WS-2). Their SAM databases are indicated by SAM-1, SAM-2, SAM-3 and SAM-4, respectively (in the SAM base figure, are depicted in the form of an oval). Each database has user1 and user2 user accounts. The full user1 user name on the SRV-1 server will look like "SRV-1 \\ user1", and the full user1 username on the WS-1 workstation will look like "WS-1 \\ User1". Imagine that the Folder folder has been created on the SRV-1 server, to which the network is provided by USER1 users to read (R), User2 - read and write (RW). The main point in this model is that the SRV-1 computer doesn't know anything about the SRV-2, WS-1, WS-2 computers, as well as all other network computers. If the user named User1 blockally registers in the system on a computer, for example, WS-2 (or, as elsewhere, "will enter the system with the local name USER1 on the WS-2 computer), then when you try to access the network on the network to The folder folder on the SRV-1 server server will ask the user to enter the name and password (the exception is the case if users with the same name are the same passwords).

The model "Working Group" is more simple for study, there is no need to study the complex concepts of Active Directory. But when used on a network with a large number of computers and network resources, it becomes very difficult to manage user names and their passwords - it is necessary on each computer (which provides its resources for sharing on the network) manually create the same accounts with the same passwords that Very laborious, or make one account on all users with one on all password (or without a password at all), which greatly reduces the level of information protection. Therefore, the model "Working Group" is recommended only for networks with a number of computers from 3 to 10 (and even better - not more than 5), provided that among all computers there is not a single Windows Server system.

Dominal model

In the domain model, there is a single directory service database available to all computers network. Specialized servers called the network installed in the network domain Controllersthat store this database on their hard drives. In fig. 6.2. The diagram of the domain model is depicted. DC-1 and DC-2 servers are domain controllers, they store the domain database of accounts (each controller stores its own copy of the database, but all changes made in the database on one of the servers are replicated to other controllers).

Fig. 6.2.

In such a model, if, for example, the SRV-1 server, which is a member of the domain, provides sharing to the folder folder, the access rights to this resource can be assigned not only for the Local Base Accounts of the SAM of this Server, but, most importantly, account Records stored in the domain database. The figure for accessing the folder folder is given permissions for one local account of the SRV-1 computer and multiple domain accounts (user and user groups). In the domain security management model, the user is registered on the computer ("enters the system") with its domain account And, regardless of the computer on which registration was completed, accesss the necessary network resources. And there is no need for each computer to create a large number of local accounts, all records are created. single in the domain database. And with a domain database is carried out centralized access control to network resources regardless of the number of computers online.

Assigning Active Directory directory service

The directory (directory) can store various information related to users, groups, computers, network printers, shared file resources and so on - we will call all this objects. The directory also stores information about the object itself, or its properties, called attributes. For example, attributes, stored in the user directory, there may be the name of his head, phone number, address, name for logging in, password, groups to which it enters, and much more. In order to make the directory repository useful for users, there must be services that will interact with the catalog. For example, you can use a directory as a storage of information on which you can authenticate the user, or as a place where you can send a request to find information about the object.

Active Directory responds not only for the creation and organization of these small objects, but also for large objects, such as domains, OU (organizational units) and sites.

About the main terms used in the context of the Active Directory directory service, read below.

Catalog service Active Directory (abbreviated-AD) ensures efficient work of a complex corporate environment, providing the following features:

• Unified registration online ; Users can register on a network with one name and password and receive access to all network resources and services (network infrastructure service, file and print service, application servers, and databases, etc.);
• Information security. Resource Authentication and Access Controls Embedded in Active Directory, provide centralized network protection;
• Centralized Governance. Administrators can centrally manage all corporate resources;
• Administration using group policies. When downloading a computer or registering a user in the system, the requirements of group policies are performed; their settings are stored in group Policy objects (GPO) and apply to all accounts for users and computers located in sites, domains or organizational units;
• Integration with DNS.. The functioning of directory services is completely dependent on the DNS service. In turn, DNS servers can store information about zones in Active Directory database;
• Extensibility catalog. Administrators can add new object classes to the catalog schema or add new attributes to existing classes;
• Scalability. The Active Directory service can cover both one domain and many domains combined into the domain tree, and a forest can be built from several domain trees;
• Replication of information. The Active Directory service uses replication of service information in a scheme with many leading ( multi-Master), which allows you to modify the Active Directory database on any domain controller. The presence in the domain of several controllers provides fault tolerance and the ability to distribute the network load;
• Flexibility of requests to the catalog. The Active Directory database can be used to quickly find any AD object using its properties (for example, the username or email address, the printer type or its location, etc.);
• Standard programming interfaces. For software developers, directory service provides access to all features (means) of the directory and supports the adopted standards and programming interfaces (API).

In Active Directory, a wide range of different objects can be created. The object is a unique entity inside the catalog and usually possesses many attributes that help to describe and recognize it. The user account is an example of an object. This type of object may have multiple attributes, such as name, surname, password, phone number, address and many others. In the same way, the common printer can also be an object in Active Directory and its attributes are its name, location, etc. The object attributes not only help determine the object, but also allow you to search for objects inside the catalog.

Terminology

Catalog service Windows Server systems are built on generally accepted technological standards. Initially, a standard was developed for directory services. X.500which was intended to build hierarchical tree-like scalable reference books with the ability to expand both classes of objects and attribute sets of each individual class. However, the practical implementation of this standard turned out to be ineffective in terms of performance. Then, on the basis of the X.500 standard, a simplified (lightweight) version of the standard of building catalogs was developed, called the name LDAP. (LightWeight Directory Access Protocol). The LDAP protocol retains all the main properties of the X.500 (hierarchical system of building a reference book, scalability, expandability), but at the same time it allows you to effectively implement this standard in practice. Term " lightWeight " (" lightweight ") The name of the LDAP reflects the main purpose of developing the protocol: Create a toolkit to build a directory service that has sufficient functional power to solve basic tasks, but is not overloaded with complex technologies that implement the directory services ineffective. Currently, LDAP is a standard method of accessing information. network directories and plays the role of foundation in a variety of products, such as authentication systems, postal programs and e-commerce applications. Today there are more than 60 LDAP commercial servers on the market, and about 90% of them are independent LDAP directory servers, and the rest are offered as components of other applications.

The LDAP protocol clearly defines the circle of operations on directories that the client application can perform. These operations fall into five groups:

• establishing a communication with the catalog;
• search in it information;
• modification of its contents;
• adding an object;
• remove object.

In addition to the LDAP protocol catalog service Active Directory also uses authentication protocol Kerberos. and the DNS service to search the network component of directory services (domain controllers, global catalog servers, Kerberos service, etc.).

Domain

The main unit of security system Active Directory is domain. Domain forms an area of \u200b\u200badministrative responsibility. Domain Database contains accounts users, group and computers. Most of the directory service management features operates at the domain level (user authentication, resource access control, service management, replication management, security policies).

The names of the Active Directory domains are formed by the same scheme as the names in the DNS namespace. And it is not by chance. The DNS service is a means of searching the domain component - primarily domain controllers.

Domain controllers - Special servers that store the corresponding domain part of the Active Directory database. Basic functions of domain controllers:

• storage DB Active Directory (organization of access to the information contained in the catalog, including the management of this information and its modification);
• synchronization of changes in AD (changes to the AD database can be made on any of the domain controllers, any changes made on one of the controllers will be synchronized with copies stored on other controllers);
• authentication of users (any of the domain controllers checks the powers of users registering on client systems).

It is strongly recommended in each domain to install at least two domain controllers - first, to protect against the loss of Active Directory database in case of failure of any controller, secondly, to distribute the load between controllers.it.company.ru there is a subdomain dev.it.company.ru, created for the Developer Developers.

• to decentralize the administration of directory services (for example, in the case when the company has branches, geographically distant from each other, and centralized management is difficult for technical reasons);
• to increase productivity (for companies with a large number of users and servers, the issue of improving the performance of the domain controllers) is relevant;
• for more efficient replication management (if the domain controllers are removed from each other, the replication in one may require more time and create problems using incommunicated data);
root domain of the forest ( forest Root Domain.) This domain cannot be deleted (it stores information on the configuration of the forest and the domain trees, which form it).

Organizational divisions (OP).

Organizational divisions (Organizeal Units., Ou.) - containers inside AD, which are created to combine objects for purposes delegation of administrative rights and applications of group policies in the domain. OP exist only inside domains and can combine only objects from their domain. OPs may be embedded in each other, which allows you to build a complex tree-like hierarchy from containers within the domain and exercise more flexible administrative control. In addition, OP can be created to reflect the administrative hierarchy and organizational structure of the company.

Global catalog

Global catalog He is a list all objectsthat exist in the Active Directory Forest. By default, domain controllers contain only information about the objects of their domain. Global catalog server It is a domain controller, which contains information about each object (although not about all the attributes of these objects), which are located in this forest.