Section 5.2. Building an Active Directory Structure

5.2. Building an Active Directory Structure

To get the best foundation for the rest of this chapter, much as we did in Chapter 4, let's actually build an Active Directory forest, tree, and domain. In this section, I'll walk through the process of creating a domain, promoting a domain controller, adding another domain controller to the domain, adding a second child domain, and then adding a few users and groups to the mix.

5.2.1. The First Domain

The first domain in an Active Directory setup is special for a few reasons. For one, the setup process for a new domain automatically adds the first domain controller to that domainthe machine on which you run the Active Directory Wizard becomes the first domain controller for the new domain. Second, this new domain becomes the root of the entire forest, meaning that it has special powers over other domains you create within the forest, even if their names aren't the same. We'll go over that in a bit.

To start the process, from the machine you want to become the first domain controller for the new domain, select Run from the Start menu, type DCPROMO, and click OK. The Active Directory Installation Wizard starts, as shown in Figure 5-2.

Figure 5-2. Beginning Active Directory installation

Click Next to continue and you'll see the Operating System Compatibility screen. This screen is simply informing you that Windows 95 clients and Windows NT clients running Service Pack 3 or earlier, by default, will be effectively locked out of participating in the domain and using resources within Active Directory. This is because of more stringent communications requirements in Windows Server 2003clients must electronically "sign" their transmissions to the server to make sure those transmissions aren't intercepted and modified on their way to the serverand Windows 95 doesn't have logic to perform this signing process. You can choose to relax these requirements later, but I don't recommend that. (It's 2005. It's definitely time to move to at least Windows 98, which can sign its communications with the Active Directory Client software.) Click Next to continue.

The Domain Controller Type screen appears, as shown in Figure 5-3.

Figure 5-3. Selecting a new domain controller installation

You can create a new forest, a new domain tree, or a new domain with the first option, Domain controller for a new domain. Select the second option to simply promote the current machine to domain controller status within an existing domain, something I'll walk through in just a bit. Click Next.

The Create New Domain screen appears, as shown in Figure 5-4.

Figure 5-4. Creating a new domain

Here, you can create a brand-new domain with the first option, a new child domain for an existing domain tree (such as main.jonathanhassell.com under an existing jonathanhassell.com domain), or a completely separate domain tree that is not a child to any other domain but is located within the same forest. For this demonstration, select the first option, and click Next.

The New Domain Name screen appears, as shown in Figure 5-5.

Figure 5-5. The New Domain Name screen

On this screen, type the full DNS canonical name of the domain you're creating. In this example, I'll use the domain for the web site of this book, learning2003.com, as shown in the figure. Enter the name, and click Next to continue.

The NetBIOS Domain Name screen appears. This is shown in Figure 5-6.

Figure 5-6. Choosing a NetBIOS name

The NetBIOS name allows down-level compatibility with Windows NT and Windows 9x clients. NetBIOS names are restricted to 15 characters or less and should consist of letters and integers only. The Active Directory Wizard selects a NetBIOS name from the full DNS name you selected in the previous step, simply taking the leftmost part of the name. You can change this if you want. This name is what your users will see when they are logging on to their machines, if they have chosen to look at the advanced options in the logon dialog box.

Do not use a period in the NetBIOS name. This will completely confuse both the NetBIOS and DNS subsystems (because they look for periods in names to separate the different elements of a canonical name) within Active Directory and Windows Server 2003.

Click Next once you've chosen a NetBIOS name.

The Database and Log Folders screen appears, prompting you to choose where you want the Active Directory database (recall that this is the NTDS.DIT file on all domain controllers' hard drives) and where you want the transaction log that keeps track of changes to the directory. This is shown in Figure 5-7.

Figure 5-7. Choosing a location for database and log files

If possible, place the database on one drive and the log file on another drive. This ensures the best performance in production environments. You can use the Browse buttons to choose a location on the physical filesystem, or you simply can type a path into the boxes. Once you've finished choosing a location, click Next to continue.

The Shared System Volume screen appears, as shown in Figure 5-8.

Figure 5-8. Choosing a location for the SYSVOL share

The SYSVOL share is akin to NT 4.0-style NETLOGON shares, in that the contents of the share are replicated automatically to all domain controllers within a domain. SYSVOL contains user logon scripts, system policy files, default profiles, and other configuration-related files. The SYSVOL location must be on an NTFS volume. You can use the Browse button to choose a path, or you can type in a path. Click Next to continue.

DNS health checks and configuration are next. If your DNS servers aren't fully healthy, you'll receive a screen such as that shown in Figure 5-9.

Figure 5-9. A DNS system health check

Here, Active Directory is complaining that it can't contact DNS servers. If you encounter this screen, it's almost certainly because of one of the following problems: either (a) the DNS servers can't be found because they're unavailable or your current machine is not on the network; or (b) the DNS servers that were found during the check don't support dynamic updates. For more information on taking care of either of those problems, consult Chapter 4, which explains DNS with an eye to Active Directory in detail.

You have three options at this point: you can rerun the test if you've identified your specific problem and want to re-test; you can instruct Active Directory to go ahead and install the DNS service on this computer, configure it correctly, and change this computer's LAN connection properties so that it points to itself for DNS services; or you can tell Active Directory, "To hell with DNS! Go ahead!" and proceed without having verified that DNS is installed and accessible. Let me offer a caution: do not use the second or third options. Take the time, armed with the information you learned in Chapter 4, to get DNS right before using DCPROMO to create a domain. You'll save yourself a lot of heartache, hassle and time by ensuring DNS is as hard as a rock ahead of time. Why? For a few reasons. For one, your organization often can benefit from a solid DNS system even before Active Directory is rolled out. Second, Active Directory DNS systems can interfere with another DNS system you might have in place, and letting the wizard handle this part isn't smartyou need to evaluate your current environment and integrate DNS first before introducing Active Directory to the mix. Also, a solid, functionally efficient DNS system makes deploying additional domain controllers and creating new trees very efficient, as Active Directory "piggybacks" a lot of its internal functionality onto the DNS structure. Why would you want to trust to a wizard a system that is that fundamental to Active Directory?

At any rate, once you're satisfied with your DNS structure and you want to proceed with the remainder of the Active Directory installation, click Next.

The Permissions screen will appear, as seen in Figure 5-10.

Figure 5-10. Determining default Active Directory client permissions

On this screen, you can choose the default permissions for new objects to either allow anonymous access for the purpose of reading information stored on a domain controller, or deny that access. As the screen says, the main culprit behind this choice is the Remote Access Service in NT. To make a long story short, for an NT-based RAS server (which could be only a member server) to figure out if an account has permission to dial into the network, it has to query a domain controller about the properties of the account. But because this hypothetical RAS server is only a member server, it doesn't have the necessary permissions to just ask about user properties that a domain controller does, so it needs another "back door" into the domain controller to find out about this permission. Hence, the ability to anonymously access a few details about user accounts on an NT domain controller. Of course, these days, this is a huge security hole, so please upgrade your NT RAS servers as soon as possible.

All this option does is either remove or add the Everyone group into the Pre-Windows 2000 Compatible Access Group, found in the Builtin OU in Active Directory Users and Computers. To deny anonymous access after you finish installation, remove Everyone from this group. To re-allow this access, add Everyone back to this group. Of course, you also can include other objects for more specific access without using the Everyone group.

Make the appropriate choice, and then click Next.

The Directory Services Restore Mode Administrator Password screen appears. This is shown in Figure 5-11.

Figure 5-11. Setting the directory restore mode password

On this screen you can choose the password that will be required of anyone attempting to access the Active Directory restore mode tools before Windows boots. Set this password to something that is secure and different from all your other administrator passwords, and then lock it away in a safe place. You probably won't need it very often. Once you've set the password, click Next.

Let me explain a bit about this special password. The Active Directory Restore Mode password is actually a password that is stored in the SAM database for a domain controller, accessible only through specific methods, one being Active Directory Restore Mode. Even more interesting, Active Directory Restore Mode is in fact a single-user mode of Windows Server 2003 (and Windows 2000). So, the password for a directory services restore is not stored in the directory at all, meaning it is not replicated to other domain controllers.

The Summary screen appears, as displayed in Figure 5-12.

Figure 5-12. Summarizing Active Directory installation choices

Ensure the choices you selected are the correct ones you wanted, and then click Next to begin the procedure to install Active Directory and promote the current machine to a domain controller within your new domain. The installation process will trundle along, until you receive the success notification pictured in Figure 5-13.

Figure 5-13. Successful Active Directory installation

Congratulations! You've built a new domain and promoted your machine to a domain controller. You'll need to restart your machine to continue.

5.2.2. Using Active Directory Tools

Before we go any further, I'd like to discuss the three most common tools you will find yourself using as an Active Directory administrator. The first of these tools is Active Directory Users and Computers, the tool that allows you to create your Active Directory structure within a domain, add users and groups, adjust account properties, and generally administer the day-to-day operations of your directory. Figure 5-14 shows the default screen for Active Directory Users and Computers.

Figure 5-14. Active Directory Users and Computers

Next, there's Active Directory Domains and Trusts, a utility you can use to create trusts between domains and to eventually raise the domain functional level to enable new features for Active Directory. Figure 5-15 shows the default screen for Active Directory Domains and Trusts.

Figure 5-15. Active Directory Domains and Trusts

Finally, let's briefly glance at Active Directory Sites and Services, a graphical tool that allows you to design your Active Directory structure around how your business is geographically dispersed, making Active Directory replication traffic go across links that cost the least and are the fastest. You also can delineate how your organization's computers are addressed via outlining different subnets, thereby increasing the likelihood that clients will log on to domain controllers that are the closest distance to them. Figure 5-16 shows the default screen for Active Directory Sites and Services.

Figure 5-16. Active Directory Sites and Services

We'll use each tool in time as we proceed through the remainder of this chapter. For now, let's move on.

5.2.3. Adding Another Domain Controller to a Domain

Promoting another machine to domain controller status within an existing domain is even easier than promoting the first machine in a new domain. You can use the DCPROMO Wizard to do the job for you in this case, as well.

To begin, start up DCPROMO as before, and on the screen asking you what action you want to perform, select Additional domain controller for an existing domain, and click Next. The Network Credentials screen will appear, asking you to type in the username and password for a domain administrator account. Do so, and then click Next. Enter the full DNS canonical name of the domain for which you want this machine to become a domain controller, and then click Next. From there, proceed through the wizard starting from the Database and Log Files screen as indicated in the previous section. Once the wizard is finished and your machine has restarted, it is an official domain controller for your domain.

5.2.4. Adding Another Domain

Adding a child domain is equally simple: you use DCPROMO and you tell it to create a new domain, but not a new tree. This will add a "subdomain" to the existing domain tree. Then the Network Credentials screen will appear, asking for a domain administrator account. After that, the Child Domain Installation screen will appear, as shown in Figure 5-17.

Figure 5-17. Providing a name for the new child domain

Here, you can select to install a domain controller into a new domain. Click Next, and then you will be prompted to provide a name for the domain, as shown in Figure 5-18.

Figure 5-18. Providing a name for the new child domain

First, you need to tell Active Directory which domain you want to add on to, and then the name of the child domain to add on to the parent tree. You can use the Browse button to scroll around the directory or simply type the name in. In the second box, enter just the first portion of the new child domain's name. The box at the bottom will adjust automatically to show the full name of the new child domain.

Now you can proceed through the wizard, as shown in the previous section. One note of interest, though: if the domain has a lot of information to replicate out to its new domain controller, this promotion process can take a long time. An option is available on the final screen of this wizard that allows you to finish replication later, and you might be tempted to take advantage of this option. Although it does decrease the amount of time it takes to bring a new domain controller in an existing domain online, I prefer to let replication happen immediately. The only instance in which I wouldn't want to do this is if I were bringing up a new domain controller in a branch office with a very slow connection to the home office. In that case, it's OK to wait until off hours and let the replication happen then. In all other cases, I recommend moving ahead with replication and simply waiting it out.

5.2.5. Managing Users and Groups

Of course, critical to a multiuser system are user accounts and groups, which you can create within Active Directory using the Active Directory Users and Computers tool, which we previewed two sections ago. (In this section I'll use the acronym ADUC to refer to this tool to save me from having to type out Active Directory Users and Computers over and over.) Within ADUC, you can create, change, and delete user accounts, manage groups and their members, and configure Group Policiesthe latter being a topic I will save for Chapter 6.

5.2.5.1 Creating users and groups

Let's look at creating users and groups within ADUC. It's a simple process to create a user or a group. First, you ought to decide on a username or group name. You can select almost any username or group name for a particular person or group in Windows Server 2003, but you must keep the following restrictions in mind:

• The name must be unique within a domain (if you are creating a domain user) or on a machine (if you are creating a local user).

• The name can be a maximum of 20 characters.

• The name cannot contain any of the following characters: " / \ [ ] : ; | = , + * ? < >

• The name cannot comprise all spaces or all periods, though individual spaces or periods within a name are acceptable.

Group names have the same restrictions.

So, to create a user, follow these steps:

1. Open ADUC.

2. In the left pane, select the container in which you want the new user to reside. Right-click it and select User or Group from the New menu.

3. The New Object - User screen appears, as shown in Figure 5-19. Enter the user's first name, middle name, and last name in the appropriate boxes and the Full name field will populate automatically. Enter the user's preferred logon name in the User logon name box, and then click Next.

   Figure 5-19. Entering a new user

   
   
   

4. The next screen is where you enter the user's initial password and a few properties for his account. This is shown in Figure 5-20. Enter and confirm the password, and then decide whether the new user will be prompted to change this password when he logs on, whether he can change his password at all, whether the password will follow the domain's expiration policy, and finally, whether the account is disabled. (Disabled accounts cannot log in.) Click Next.

   Figure 5-20. Entering a new user's password

   
   
   

5. Confirm the information you have just entered, and click OK to create the user.

To create a new group, follow these steps:

1. Open ADUC.

2. In the left pane, select the container in which you want the new user to reside. Right-click it and select User or Group from the New menu.

3. The New Object - Group screen appears, as shown in Figure 5-21. Enter a name from the group, its scope as a domain local, global, or universal group, and the type of group (either security or distribution). Click OK.

   Figure 5-21. Creating a new group

   
   
   

That's it! You've created a new group.

If you are creating a user, your work is not done yet. You need to configure several additional properties before the user account is ready for use. Right-click the new user within ADUC and select Properties from the context menu. Here's a rundown of each option on the properties sheet's various tabs.

General

On the General tab, you can input information such as the user's first, middle, and last name, a description of the user, and his office location, main telephone number, email address, and home page. The General tab is shown in Figure 5-22.

Figure 5-22. The General tab

Address

The Address tab allows you to enter the user's postal service address information and his geographic location. Figure 5-23 shows the Address tab.

Figure 5-23. The Address tab

Account

On the Account tab, you can modify the user's logon name, the suffix for his principal name (a concept which I'll explain in a bit), logon hours, and the workstations he is permitted to use. To set logon hours, click the Logon Hours button and then select the block of time you want to either permit or deny. To set permitted workstations, click the Logon To buttonbut note that you need to have the NetBIOS protocol on your network for that restriction to be enforced.

You also see several options. You can specify that a user must change his password the next time he logs in, that he cannot change his password, that his password never expires, that Windows should store his password using a weaker, reversible encryption scheme, that his account is disabled, that a smart card must be used in conjunction with his password to log on, that the account is to be used for a software service such as Exchange and ought to be able to access other system resources, that the account is not trusted, that DES encryption should be used for the account, or that an alternate implementation of the Kerberos protocol can be used.

The Account tab is shown in Figure 5-24.

Figure 5-24. The Account tab

Profile

On the Profile tab, you can specify the path to the user's profile. A user's profile contains the contents of his Desktop and Start menu and other customizations (such as wallpaper and color scheme). You can specify where that profile is stored with the Profile Path option. You also can designate the path to the user's home folder, which is the default location within most Windows applications for a particular user's data to be stored. Plus, you can choose to automatically map a specific drive letter to the user's home folder that you have set up. Figure 5-25 shows the Profile tab.

Figure 5-25. The Profile tab

Telephones

On the Telephones tab, you can enter different numbers corresponding to this particular user's home, pager, mobile, fax, and IP telephones. The Telephones tab is shown in Figure 5-26.

Figure 5-26. The Telephones tab

Organization

The Organization tab gives you a place to specify the user's official title, the department in which he works, the name of the company where he works, his direct reports, and his manager's name. The Organization tab is shown in Figure 5-27.

Figure 5-27. The Organization tab

Remote control

This tab specifies Terminal Services properties. See Chapter 9 for a detailed walkthrough of the options on this tab. The Remote control tab is shown in Figure 5-28.

Figure 5-28. The Remote control tab

Terminal Services Profile

This tab specifies Terminal Services properties. See Chapter 9 for a detailed walkthrough of the options on this tab. The Terminal Services Profile tab is shown in Figure 5-29.

Figure 5-29. The Terminal Services Profile tab

COM+

On the COM+ tab, you can assign users to applications on COM+ partitions that you have set up on different servers. The COM+ tab is shown in Figure 5-30.

Figure 5-30. The COM+ tab

Member Of

The Member Of tab shows a user's group memberships. All users by default are a member of the Domain Users group. You can click the Add button to add groups of which this user is a member. To remove a user from a current group membership, click Remove. The Member Of tab is shown in Figure 5-31.

Figure 5-31. The Member Of tab

Dial-in

The Dial-in tab is where you configure several remote access options and properties for the user. Routing and remote access are covered in detail in Chapter 11. The Dial-in tab is shown in Figure 5-32.

Figure 5-32. The Dial-in tab

Environment

This tab specifies Terminal Services properties. See Chapter 9 for a detailed walkthrough of the options on this tab. The Environment tab is shown in Figure 5-33.

Figure 5-33. The Environment tab

Sessions

This tab specifies Terminal Services properties. See Chapter 9 for a detailed walkthrough of the options on this tab. The Sessions tab is shown in Figure 5-34.

Figure 5-34. The Sessions tab

You have fewer properties to configure when you create a new group. Those group-specific properties are profiled in the next section.

General

On the General tab, you can specify the name of the group, a friendly description of the group, the group's email address, the group's scope and type, and any notes you want to write to yourself or to other administrators. Figure 5-35 shows the General tab.

Figure 5-35. The General tab

Members

The Members tab shows the current members of the group. Click the Add and Remove buttons to add and remove members from the group, respectively. Figure 5-36 shows the Members tab.

Figure 5-36. The Members tab

Member Of

On the Member Of tab, you specify the groups of which this current group is a memberthis is an example of the "nesting" feature profiled earlier in this chapter. You can click Add and Remove to change this group's membership. The Member Of tab is shown in Figure 5-37.

Figure 5-37. The Member Of tab

5.2.5.2 Performing common administrative tasks

You can accomplish a couple of neat tricks using ADUC on multiple accounts at once, reducing some of the tedium reducing the need to make repetitive changes. For one, you can select multiple accounts within ADUC by clicking one account and doing one of the following:

• Holding down the Shift key and selecting another account to completely select the range of accounts within your two initial selections

• Holding down the Ctrl key and clicking individual accounts to select them independently

Then you can right-click the group of accounts and perform actions such as changing common properties or sending email. When you right-click multiple accounts and select Properties, the screen in Figure 5-38 appears.

Figure 5-38. Changing the properties of multiple accounts

On this screen, you can make changes to multiple accounts at the same time. A subset of the options available on individual accounts is accessible, but such common tasks as changing the UPN suffix of an account, specifying that a user must change his password, or requiring a smart card for logon are easy to make with this screen.

5.2.5.3 Using LDAP to create users

LDAP is the foundation protocol for accessing and modifying the contents of Active Directory. You can use LDAP-style strings in conjunction with a couple of command-line tools to automate the creation of users and groups.

First let's look at what makes an LDAP identifier. For instance, let's say my full name is Jonathan Hassell, and I'm in the container SBSUsers within the hasselltech.local domain. My LDAP name, therefore, is:

Cn="Jonathan Hassell",cn=SBSUsers,dc=hasselltech,dc=local

The abbreviation CN refers to the container, and DC refers to the components of a domain name. Likewise, Lisa Johnson in the Marketing container within the Charlotte container of enterprise.com would have an LDAP name of:

Cn="Lisa Johnson",cn=Marketing,cn=Charlotte,dc=enterprise,dc=com

Usernames in the directory are represented by a user principal name, or UPN. UPNs look like email addresses, and in some cases actually can be email addresses, but within the context of LDAP they serve to identify and select a specific user in the directory. So, if my username were jhassell, my UPN would be:

jhassell@hasselltech.local

And if Lisa Johnson's username were ljohnson, her UPN would be:

ljohnson@hasselltech.local

Now that we know how to specify some properties in LDAP, we can use the DSADD utility to create users from the command-line. The advantage to using DSADD is that you can script these commands to automate the creation and provision of user accounts.

DSADD adds a user to Active Directory. For example, to add a computer named JH-WXP-DSK to the Admin OU while authenticating as the domain administrator account, enter the following:

 dsadd computer CN=JH-WXP-DSK,OU=Admin,DC=hasselltech,dc=local -u  administrator -p

You will be prompted for a password.

Here's another example: to add user sjohnson (for Scott Johnson, email address sjohnson@hasselltech.local with initial password "changeme") to the Sales OU and make him a member of the Presales group, use the following command:

 dsadd user cn=sjohnson,ou=sales,dc=hasselltech,dc=local -upn  sjohnson@hasselltech.local -fn Scott -ln Johnson -display  "Scott Johnson" -password changeme -email sjohnson@hasselltech.local  -memberof cn=presales,ou=sales,dc=hasselltech,dc=local

Again you will be prompted for a password.

You're getting the picture now. You also can add OUs with DSADD. To add an OU called support, use this command:

dsadd ou cn=support,dc=hasselltech,dc=local

5.2.5.4 Delegation

One of the absolute best features within Active Directory is the ability to allow other users to take partial administrative control over a subset of your directorya process known as delegation. By delegating administrative authority, you can take some of the IT person's burden and place it elsewhere. For example, you might want to give one person in your department the power to reset passwords for other employees in a department. Or you might want to employ some part-time college students to man a helpdesk and you want to give them the ability to create new users and to help other employees with lost passwords. You can accomplish this easily through Active Directory delegation.

And there's even a wizard to help you do it, too. The entire process works something like this:

1. You choose an Active Directory container over which you want to delegate administrative authority.

2. You create a group of users (or identify an already existing one) that will have those new, delegated administrative powers.

3. You use the Delegation of Control Wizard to actually grant the powers.

Let's get started. Within ADUC, select the organizational unit over which you want to delegate powers to others. Right-click it, and select Delegate Control from the pop-up context menu. The Delegation of Control Wizard appears. Click Next off the introductory screen, and the Users or Groups screen appears, as shown in Figure 5-39.

Figure 5-39. The Users or Groups screen

On this screen, click Add and identify the users or groups to which you want to have the powers assigned. Click Next when you've added the users, and the Tasks to Delegate screen appears as shown in Figure 5-40.

Figure 5-40. The Tasks to Delegate screen

This screen lists the most common tasks you want to delegate, including such options as managing user accounts, resetting passwords, managing groups, and administering GP. For our example, let's select the second option (to reset user passwords), and click Next.

On the final screen of the wizard, you're asked to confirm your choices. Click Finish to do so, and the delegation is complete.

Unfortunately, there is no mechanism to log what delegations have been configured. Be sure to keep a very detailed and accurate journal of the delegations you create, as there is no way to track this within the user interface. However, the new DSREVOKE tool can offer a bit of assistance. This tool can report all permissions for a particular user or group on a set of OUs and, optionally, remove all permissions for that user or group from the ACLs on those OUs. This effectively provides the ability to revoke delegated administrative authority, though it's not as intuitive as a graphical utility might be. You can find more information at http://download.microsoft.com/download/b/1/f/b1f527a9-5980-41b0-b38e-6d1a52a93da5/Dsrevoke.doc.