Features In Active Directory Server Computer Science

This assignment is a brief overview of some of the features in Active Directory Server 2008, it includes the main components within a forest and then covers recommendations for Active Directory concentrating on security. This covers group settings, policies and rules to create an effective Active Directory environment.

Active Directory is a centralised system that provides authentication and authorisation for users, computers, resources and the applications they use. It is controlled at the administrator level whether that be as an individual administrator in a small network or a group of administrators in a larger organisation, it can be used in a small network or in theory can be scaled to hold 4,294,967,041 separate objects. Active Directory (AD) provides a single point that administrators can control resources from. Resources being files, applications, users and any associated system resource this shows (AD) to be well managed and eminently scalable.

It is a database or directory service used to manage and store information concerning network resources, used to organise the network and allocate resources throughout the network. The network is divided into areas with specific components starting with a forest and subsequent domain.

Component overview

A container is any device that contains more than one object, a forest is the largest container,

unlike a leaf object which does not contain other objects. The forest is the security boundary of a network environment, so a user can access resources throughout an entire forest with one single logon. You can have more than one forest as in larger organisations but a user would require an additional logon.

The next smallest part of Active Directory is the domain and this is really where Active Directory comes into its own, a server 2008 computer configured with Active Directory domain services role is referred to as a domain controller. The domain controller stores the Active Directory database and therefore controls authentication of users and maintains the database information.

The domain controller also replicates all of the information stored in its database file to other domain controllers synchronising any changes within the network to all the other controllers, the file that contains the information is the ntds.dit file. This file is used by the administrator and can be updated from any controller keeping the database consistent across all domains, any update carried out on any controller in (AD) can be replicated throughout it is referred to as a multimaster system (multiple controllers for one master database).

Any change carried out on one controller say adding a new user account the controller will update the ntds.dit database and will then be replicated to the other domain controllers this can be replicated immediately through forced replication, through the GUI or with the command prompt" gpupdate "command. Replication also occurs at a set time a default time of 180 minutes or can be set by the administrator to as little as 15 minutes. This is between sites known as intersite or much quicker replication intrasite within a site.

The forest is the main part of the active directory hierarchy followed by the domain as the trees, the branches are then described as the Organisational units(OU), these can have other organisational units within them this is known as nesting, and one group can be nested with another, two eggs in one nest. The individual objects within the (OU) container are the objects or to finish off our forest they are the leaves on the (OU) branches.

Organisational units can be set to reflect the structure within your company you could have two separate (OUs) One for marketing and one for Accounts, you can assign different policies for each (OU) putting a structure in place that will reflect each departments needs. This allows you to design your Active Directory network to suit the requirements of both departments and tailor them to their group needs.

Groups and security

Groups are used to make control of Active Directory more manageable, (OUs) already mentioned allocate grouping of resources that have similar needs. Groups are used to make network permissions easy for the administrator to control. The administrator can assign permissions to many users simultaneously, assigning network resources and associated permissions.

The administrator can assign permissions to different groups these are known as security groups, these groups allow multiple users access to resources. Two of the main groups are:

Domain local groups - used to assign permissions to resources in the same domain as the domain local group.

Global groups - used to allow or deny permissions to any resource in any domain.

Recommendations and Security

To prevent attacks to the administrator account it is advisable to change the name of this account as administrator accounts can be targeted in attacks. Also when setting passwords make them difficult and limit the amount of people that know the password.

All the accounts should be set with strong passwords and should be changed on a regular basis to help with security. When creating accounts the administrator can make sure the user has to log on with a strong password and can also determine how often the password has to be changed.

The type of security you use is down to what is required for your network. Active directory supports AES encryption giving the highest level of encryption available., e.g. If you were to use a DES key for security and a key could be cracked in 1 second it would take the equivalent of 149 trillion years to crack a 128 bit key and Active directory can support both 128 and 256 bit.

Users can be placed into groups allowing the administrator to assign permissions to the individual user within a group standardising and giving the user in each group the same privileges and access. This can also be used to limit access to more sensitive information with fewer users having access to this information.

There are two groups used in Active Directory the first is distribution, this is not security related and is used for information distribution, and the earlier mentioned security group giving users access to resources.

Groups also have scopes this controls the objects contained within the group. If you have certain users that need access to a resource for example a book on Active Directory, the users can be grouped together in a security group named Active Directory. The administrator creates the group and then assigns the group access to the resource (book). The scope controls the objects that the group have access to. This can be contained to a local group, within a domain, across different domains, or universally spanning the entire forest. This allows control of users and computers alike and the resources available to them, by limiting access your system remains secure.

Users and groups can be created in Active Directory Users and Computers, this is my preferred way they can also be created using command prompt using the "dsadd" user syntax. If you are more comfortable using the command prompt utility this is available but typing everything can take longer.

Group policies do not apply only to groups they can be linked to sites, organisational units (OU) and domains which in turn apply these settings to the users and computers within them.

Group policy allows you to control and choose the settings and features you wish to use, you can also use security group filtering where you can apply group policy permissions to individuals or groups. Group policy objects (GPOs) contain the group policy settings for users and computers in a site, (OU) or domain, administrators and users can have different GPOs to control their access levels.

They have two settings created by default user and computer configuration (by default all of the objects within a GPO container are affected by the GPOs settings). They are divided into further nodes which can be used for software, windows and administrator templates all of which give control of policies and settings within the network, another good secure feature.

Group policy is controlled in a hierarchy from 1-4:

1.