Repairs Design Furniture
Expand
the main

How to make remote access to the token more secure? Introduction to the basic concepts of Active Directory What programs include AD

Any novice user, facing an AD abbreviation, wonders what Active Directory is? Active Directory is a directory service developed by Microsoft for Windows domain networks. Included in most Windows Server operating systems, as a set of processes and services. Initially, the service was engaged only by domains. However, starting with Windows Server 2008, AD has become the name for a wide range of services related to identification of catalogs. This makes Active Directory for beginners more optimal for study.

Basic definition

The server on which the Active Directory Domain Services Domain Services is called the domain controller. It authenticates and authorizes all users and computers in the Windows network domain, assigning and applying security policies for all PCs, as well as installing or updating the software. For example, when a user enters the computer included in the Windows domain, Active Directory checks the password provided and determines whether the object is a system administrator or ordinary user. It also allows you to manage and store information, provides authentication and authorization mechanisms and establishes the structure to deploy other related services: certification services, federal and lightweight directory services and rights management.

Active Directory uses LDAP version 2 and 3 protocols, Kerberos version from Microsoft and DNS.

Active Directory - What is it? Simple words about complex

Tracking network data is a time consuming task. Even in small networks, users tend to experience difficulties with searching for network files and printers. Without any directory, medium and large networks cannot be controlled, and often have to deal with difficulties in searching for resources.

Previous versions of Microsoft Windows included services that help users and administrators find data. The network environment is useful in many environments, but an obvious disadvantage is an uncomfortable interface and its unpredictability. WINS Manager and Server Manager can be used to view the list of systems, but they were not available to end users. Administrators used User Manager to add and delete data from a completely different type of network object. These applications turned out to be ineffective for work in large networks and caused a question why Active Directory?

The catalog, in the most general sense, is a complete list of objects. The phonebook is the type of directory in which information about people, enterprises and government organizations is stored, and Usually they record names, addresses and phone numbers. Asking for Active Directory - What is this, simple words we can say that this technology is similar to the directory, but is much more flexible. AD keeps information about organizations, sites, systems, users, shared resources and any other network object.

Introduction to the basic concepts of Active Directory

Why is the organization need Active Directory? As already mentioned in Introduction to Active Directory, the service stores information about network components. In the manual "Active Directory for beginners" states that this Allows customers to find objects in their namespace. This T. ermin (also called the console tree) refers to the area in which the network component can be located. For example, the table of contents of the book creates the namespace, in which chapters can be correlated to the pages.

DNS is a console tree that allows node names to IP addresses, as telectronic books provide namespace to resolve names for phone numbers. And how is this happening in Active Directory? AD provides a console tree to allow network object names to the objects themselves and It can solve a wide range of objects, including users, systems and services on the network.

Objects and attributes

All that tracks Active Directory is considered to be an object. You can say simple words that this is in Active Directory is any user, system, resource or service. The overall object of terms is used because AD is capable of tracking a plurality of elements, and many objects can share common attributes. What does it mean?

Attributes describe objects to Active Directory's active directory, for example, all user objects shared attributes to store username. This also applies to their descriptions. Systems are also objects, but they have a separate attribute set, which includes the host name, IP address and location.

A set of attributes available for any particular type of object is called a scheme. She makes classes of objects different from each other. The information about the scheme is actually stored in Active Directory. What is the behavior of the security protocol is very important, says the fact that the scheme allows administrators to add attributes to object classes and distribute them over the network in all corners of the domain without restarting any domain controllers.

Container and LDAP name

The container is a special type of object that is used to organize the work of the service. It does not represent a physical object as a user or system. Instead, it is used to group other elements. Container objects can be invested in other containers.

Each element in AD has a name. These are not the ones you are accustomed to, for example, Ivan or Olga. These are distinctive LDAP names. The differing LDAP names are complex, but they allow you to identify any object inside the catalog uniquely, regardless of its type.

Tree terms and site

Terminal tree is used to describe the set of objects in Active Directory. What is it? Similar words, this can be explained with the help of the tree of the Association. When containers and objects are combined hierarchically, they tend to form branches - hence the name. The linked term is a continuous subtree, which refers to an inseparable main tree trunk.

Continuing the metaphoria, the term "forest" describes a set that is not part of the same namespace, but has a common scheme, configuration, and a global directory. Objects in these structures are available to all users if it allows security. Organizations separated by several domains must group trees in one forest.

The site is a geographic location defined in Active Directory. Sites meet logical IP subnets and, as such, can be used by applications to search for the nearest server on the network. Using the site information from Active Directory can significantly reduce traffic in global networks.

Managing Active Directory.

Component Enabled Active Directory - Users. This is the most convenient tool for administering Active Directory. It is directly available from the Administration program in the Start menu. It replaces and improves the server dispatcher and user manager from Windows NT 4.0.


Safety

Active Directory plays an important role in the future Windows networks. Administrators should be able to protect their catalog from intruders and users, while simultaneously delegating tasks to other administrators. All this is possible using Active Directory Safety Model, which connects an access control list (ACL) with each container attribute and object in the directory.

The high level of control allows the administrator to provide individual users and groups to various levels of permissions for objects and their properties. They may even add attributes to objects and hide these attributes from certain user groups. For example, you can install ACL so that only managers can view the home phone numbers of other users.

Delegated administration

Concept, new for Windows 2000 Server, is delegated administration. This allows you to assign tasks to other users, without providing additional access rights. Delegated administration can be assigned through certain objects or continuous directory support. This is a much more efficient method of providing authority on networks.

IN the destination of anyone of all global domain administrator rights, the user may be given permission only within a certain subtree. Active Directory supports inheritance, so any new objects inherit the ACL of their container.

The term "trust relationship"

The term "trust relationship" is still used, but have different functionality. There is no difference between one-sided and bilateral traasts. After all, all confidence relationships Active Directory bidirectional. In addition, all of them are transitive. So, if the domain A trusts the domain B, and b trust C, then there are automatic implicit trust relationships between the domain A and the domain C.

Audit in Active Directory - What are these simple words? This is a security feature that allows you to determine who is trying to access objects, as well as how much this attempt is successful.

Using DNS (DOMAIN NAME SYSTEM)

A different DNS system is needed for any organization connected to the Internet. DNS provides permission from names between common names, such as mspress.microsoft.com, and untreated IP addresses that use network layer components for communication.

Active Directory widely uses DNS technology to search for objects. This is a significant change in comparison with previous Windows operating systems that require NETBIOS names are allowed by IP addresses, and rely on WINS or other NETBIOS name resolution technique.

Active Directory works best when used with DNS servers running Windows 2000. Microsoft simplified for administrators to transition to DNS servers running Windows 2000 by providing migration masters that manage the administrator through this process.

Other DNS servers can be used. However, in this case, administrators will have to spend more time on DNS database management. What are the nuances? If you decide not to use DNS servers running Windows 2000, you must make sure that your DNS servers meet the new DNS dynamic update protocol. Servers rely on dynamic updating their records to find domain controllers. It is not comfortable. After all, E.if the dynamic update is not supported, updating databases are manually.

Windows domains and Internet domains are now fully compatible. For example, a name, such as mspress.microsoft.com, will determine the Active Directory domain controllers responsible for the domain, so any client with DNS access can find a domain controller.Customers can use the DNS resolution to search for any number of services, since Active Directory servers publish a list of addresses in DNS using new dynamic update features. These data are defined as a domain and are published through service resource records. SRV RR follows the formatservice.protocol.domain.

Active Directory servers provide LDAP service to place an object, and LDAP uses TCP as a basic transport level protocol. Therefore, a client who is looking for an Active Directory server in the mspress.microsoft.com domain will search for DNS entry for ldap.tcp.mspress.microsoft.com.

Global catalog

Active Directory provides a global catalog (GC) and Provides a single source to search for any object in the organization's network.

The global directory is a service in Windows 2000 Server, which allows users to find any objects that have been provided with access. This functionality is far exceeding the features of the Find Computer application included in previous versions of Windows. After all, users can search any object in Active Directory: servers, printers, users and applications.

over the participants of the Mobile World Congress exhibition. The company's employees created three open Wi-Fi points at the airport near the stand to register visitors to the exhibition and called them the standard names "Starbucks", "MWC Free WiFi" and "Airport_free_Wifi_aena". For 4 hours, 2000 people joined these points.


As a result of the experiment, a report was drawn up in which Avast employees analyzed the traffic of all people connected to open Wi-Fi points. Personal information was also disclosed 63% of the connected: logins, passwords, email addresses, etc. If the report not submitted at the exhibition, the participants of the experiment would never understand what someone had access to their data.


We connect to our company's network from home, hotels or cafes and do not even understand how damage can we apply.


According to statistical studies, more than 40 percent of employees of companies work remotely at least one day per week.


But it turns out that the employee working remotely via the Internet, a much vulnerable user and represents a potential threat to the company. Therefore, the safety of remote users needs to pay special attention.

Threat factors

The user's remote workplace generates, in comparison with the local office workstation, three additional threat factors:

  1. The remote user is out of the physical control zone of the organization. The proof is required that the company is connected to the corporate resource, and not an attacker.
  2. The remote user data extends through the channels that are outside the control zone of the organization. These data are subject to interception, unauthorized change and "mixing" of extraneous traffic.
  3. For a remote workplace itself, the company itself cannot provide physical safety. Also used computer may not comply with configuration requirements.

Therefore, when organizing remote access, three basic information security principles must be observed:

  • confidentiality (Important information should be available only to a limited circle of persons);
  • integrity (changes in information leading to its loss or distortion should be prohibited);
  • availability (Information should be available to authorized users when they need it).

How to protect remote access?

The following security mechanisms can be used to organize remote employees:

  • reliable user authentication tool (passwords, hardware, biometric data, etc.);
  • access control system (centralized access control to company IT resources);
  • vPN organization (hardware devices, software solutions, firewall expansion, etc.);
  • means of opposition to attacks (protection of the internal network and employees from attacks).

We will tell about one of the security mechanisms is VPN.

Why do you need a VPN?

The VPN connection provides a safer connection to the corporate network and the Internet.

VPN scope:

  • internet access;
  • access to the corporate network outside;
  • combining the components of the corporate network.

The network infrastructure of your company can be prepared for using VPN using software or hardware.


There are a large number of paid and free VPN services.


Such services are mainly operating in 4 protocols:

  1. IPsec.operating in transport and tunnel modes. Encryption of messages in the data packet using the transport mode is called a payload, and the entire package is the tunneling.
  2. PPTP. - This is a point-to-point tunnel protocol using a tunnel method in which the data is stored as PPP packets. They, in turn, are placed in IP packets and are transferred to the destination.
  3. L2TP - Second-level tunneling protocol operating on two main nodes: L2TP access hub (LAC), L2TP network server (LNS). LAC is a device that completes the call, while LNS authenticates PPP packets.
  4. TLS and SSL. - Cryptographic protocols using a combination of authentication and encryption to exchange data between the server and the client.


There are also VPN services for corporate use. One of the most famous is OpenVPN. It is a safe and inexpensive service.


His advantages are:

  1. Safety. The use of multiple cryptographic protocols (HMAC, 3DES, AES, RSA) and a 2048-bit key allow you to carry out reliable encryption of all data.
  2. Flexible OpenVPN capabilities allow you to run a connection via Proxy / Socks, according to various protocols and when the DHCP protocol is forced blocking, as well as through the firewalls.
  3. Supported by most devices, including on Apple iOS and Google Android platforms.

Is it possible to organize VPN connections without using third-party programs?

Sometimes it makes no sense to use third-party services if similar features are built into the operating system.


We want to demonstrate how to configure a secure VPN connection via SSTP, using standard Windows capabilities.


Protecting the VPN connection in this case is performed through traffic encryption mechanisms using a digital certificate (SSL) provided by the VPN server. The software client operating system during the installation process of the VPN connection performs the verification of the VPN server certificate, in particular, checks whether the server certificate is not recalled, and is also checked whether to trust the root certificate of the certification authority that issued a certificate for the VPN server. That is why one of the requirements for the successful operation of the VPN connection via the SSTP protocol is the ability to automatically update the list of root certificates via the Internet.


The SSTP protocol is a modern and secure protocol. An additional advantage is its ability to work through the everywhere available HTTPS protocol port (TCP 443), used for normal web browing, that is, the VPN connection via SSTP protocol will work almost through any Internet connection.

VPN and two-factor authentication

In itself, the VPN connection is encrypted. But the use of login and password for authentication in VPN is completely unsafe. But there is a way out - this is two-factor authentication. It allows the user to confirm his identity in two ways. It is advisable to use hardware tool (token or smart card) to configure it. Then when installing a VPN connection, the user will not need a password, but the device itself and its PIN.


The main advantage of the hardware when using VPN is the uniqueness of the closed key. It is due to the fact that the closed key from the device cannot be copied and reproduced. After all, if the authentication means does not have uniqueness, it is impossible to be sure that the user who gained access is the user who has been appointed this access.


In the case of password, the situation is completely different. Anyone, especially or accidentally learned your password, can take advantage without your knowledge. And this means that he can do on behalf of the password owner, all that will want. Tracking such a situation is quite difficult, especially if the attacker is technically constructed.

Configuring a VPN server

Configuring a VPN connection We will start with the deployment of a simple VPN server based on Windows Server 2012 R2.


Such a server installed on standard equipment can be used for a small office network with the need to organize a remote connection for several dozen employees (30-50 people).

VPN server configuration

Open Server Manager and click on the link Add roles and components.


Choose a role Remote access.



Select Role Service DirectAccess and VPN (RAS).



Click on the button [Install]. As a result, the process of setting the role of remote access will be launched.



In the initial deleted access wizard window, choose Expand only VPN..


After that, add the server. In the window Routing and remote access Select the menu item Act and subparagraph Add server. Next, confirm the addition.


Click on the name of the added server with the right mouse button and select Configure and enable routing and remote access.



Select item Special configuration.



As a custom configuration, we specify Access to the Virtual Private Network (VPN).



Start the service, for this click on the button [Launch service].



The server is almost ready.


For example, we use the easiest and most obvious way - set the statistical pool of addresses for 5 users.


Open the properties of the added server.



Select item Statistical pool addresses and click on the button [Add].


In the window New IPv4 Address Range We specify the initial and end IP address.


Click on the button [Apply]


The role of remote access is configured, now open the ports in the firewall.

Opening of firewall ports

For tCP protocol Open ports 1723 and 443 .



For uDP protocol Open ports 1701 , 500 and 50 .



At the next stage, we will configure local security policies.

Setting the Local Safety Policy

Open a list of local security policies and select item Purpose of user rights.



Select Policy Allow logging into the system through the service of remote desktops.


Click on the button [Add user or group].


Find the name of the division Domain users And add it.


Well, the penultimate step will be to configure access for specific users.

Adjusting access for a specific user

Open Server Manager, Select Funds and subparagraph Users and Computers Active Directory.


Find the name of the required user, go to it Properties, tab Incoming calls Select Settings Allow access. Click on the button [Apply].


And finally, check whether remote access to the properties of the system is allowed.


To do this, open the properties of the system, choose the item Setting up remote access and set the switch Allow deleted connections to this computer..


That's all, the server setting on this is completed. Now you will configure the VPN connection on the computer to be used for remote access.

Configuring a VPN connection

Configuring a VPN on a computer with Windows 10 is extremely simple. To implement it, you will need an account data (login, password), server IP address and internet connection. To organize hardware two-factor authentication, there will be a token.


You do not need any additional programs, everything is already in Windows.


Let's start setting up. As an example of a hardware, I will use a device for safe storage of keys and certificates of RUCTEN EDS PKI.



To configure the connection, we will need a certificate that contains Smart Card Logon and Client Authentication policies.


The process of creating such a certificate was previously described. Link to the description.


Open the window. Click on the link Creating and configuring a new connection or network.



Window opens Connection or network configuration. Select the item Connecting to the workplace and click on the button. [Further].




In field Address in the Internet Specify the data of the VPN server.


In field Name of the object of destination Specify the name VPN connection.


Install the checkbox Use a smart card and click on the button Create.



VPN connection created. But we need to change its parameters.


Open the window again Network and Shared Access Control Center and click on the link Change adapter settings.



In the window Network connections Right-click on the name of the created VPN connection and select item Properties.



Let us turn to the tab Safety And choose the following parameters.


There are enough VPN connections such settings in order to successfully connect to a secure VPN protocol to the specified network. However, after the VPN connection is made, all network traffic from the computer will be sent by default to the gateway of the specified network. This may lead to the fact that during connecting to VPN, work with the Internet resources will be possible. In order to exclude this problem, let's go to the tab Net, row on line IP version 4 (TCP / IPv4) and click on the button Properties.


On the page with IP version 4 properties click on the button. [Additionally].


Remove the checkbox Use the main gateway in the remote network.


We confirm all the changes made. The configuration process is complete.


Now let's check the connection.


In the taskbar on the desktop, click on the icon Internet access And choose the created VPN connection. Window opens Parameters.


Click on the name of the VPN connection and click on the button. Connect.



Enter the Tocken PIN code and click on the button. [OK].



As a result, the created VPN connection will be installed.


To check the status of VPN connections, open the window Network connectionsWe will find the name of the created connection. Its status must be "connected".


To break the VPN connection in the same window we find the created connection, click on its name right mouse button and select item Connect / Disable.

Summarize

When a VPN connection is installed, all traffic starts passing through the VPN server.


The reliability of the VPN-traffic protection is that even if the attackers in any way will intercept the transmitted data, they still will not be able to use them, since the data is encrypted.


And if you also set special applications to monitor traffic and configure them, you can successfully filter traffic. For example, automatically check it for viruses.


I hope we managed to convince you that VPN is easy, accessible, and most importantly safe!

Active Directory is a service management service. They are much better alternative to local groups and allow you to create computer networks with efficient management and reliable data protection.

If you have not encountered earlier with the concept of Active Directory and do not know how such services work, this article is for you. Let's figure out what this concept means that the advantages of such databases and how to create and configure them for the initial use.

Active Directory is a very convenient way of system control. With Active Directory, you can effectively manage data.

These services allow you to create a single database running domain controllers. If you own an enterprise, lead the office, in general, control the activities of many people who need to be combined, you will be useful to such a domain.

All objects are included in it - computers, printers, faxes, user accounts, etc. The amount of domains on which the data is located is called "forest". The Active Directory base is a domain environment where the number of objects can be up to 2 billion. Imagine these scales?

That is, with the help of such a "forest" or database, you can connect a large number of employees and equipment in the office, and without binding to the place - other users can be connected to the services, for example, from the company's office in another city.

In addition, several domains are created within the Active Directory services - the more the company, the more funds are necessary to control its technology within the database.

Next, when creating such a network, one controlling domain is determined, and even with the subsequent presence of other domains, the initial still remains "Parental" - that is, only it has full access to information management.

Where are these data stored, and what is the existence of domains? To create Active Directory, controllers are used. Usually there are two - if something happens with one, the information will be saved on the second controller.

Another option to use the base is if, for example, your company cooperates on the other, and you have to do a general project. In this case, it may be necessary to access foreign personalities to the domain files, and here you can configure a kind of "relationship" between two different "forests", open access to the required information, not risking the safety of other data.

In general, Active Directory is a means for creating a database within a certain structure, regardless of its size. Users and the whole technique are combined into one "forest", domains are created that are placed on controllers.

It is still advisable to clarify - the service of services is possible exclusively on devices with Windows server systems. In addition, 3-4 DNS servers are created on the controllers. They serve the main domain zone, and in the case when one of them fails, other servers are replaced.

After a brief review of Active Directory for dummies, you are naturally interested in the question - why change the local group to a whole database? Naturally, the field of opportunities is widely wider, and to find out other differences of data services for system control, let's consider their advantages in more detail.

Advantages of Active Directory.

Pluses Active Directory Next:

  1. Using one resource for authentication. With this situation, you need to add all accounts on each PC that require access to general information. The more users and technology, the more difficult it is to synchronize these data between them.

And so, when using services with a database, accounts are stored at one point, and changes come into force immediately on all computers.

How it works? Each employee, coming to the office, launches the system and logs in to his account. The input request will be automatically served to the server, and authentication will occur through it.

As for a certain order in conducting records, you can always divide the users to the group - the "personnel department" or "Accounting".

It is even easier in this case to provide access to information - if you need to open a folder for workers from one department, you do it through a database. They get access to the required folder with the data, while the remaining documents remain closed.

  1. Control over each database participant.

If in the local group, each participant is independent, it is difficult to control it from another computer, then in the domains you can establish certain rules that meet the company's policies.

You as a system administrator can set access settings and security settings, and then apply them for each user group. Naturally, depending on the hierarchy, one groups can be determined more hard settings, others provide access to other files and actions in the system.

In addition, when a new person falls into the company, his computer will immediately receive the desired set of settings where the components are included for work.

  1. Universality in installing software.

By the way, you can assign printers using Active Directory using Active Directory, to set the necessary programs to all employees immediately, set privacy parameters. In general, the creation of a database will significantly optimize work, monitor security and combine users to maximize work efficiency.

And if the company operates a separate utility or special services, they can be synchronized with domains and simplify access to them. How? If you combine all products used in the company, the employee will not need to enter different logins and passwords to enter each program - this information will be common.

Now, when the advantages and meaning of using Active Directory are understandable, let's consider the installation process of the specified services.

Use the database on Windows Server 2012

Installing and configuring Active Directory is a very hard thing, and it is also easier than it seems at first glance.

To download the services, first must be performed as follows:

  1. Change the name of the computer: click on "Start", open the control panel, the "System" item. Select "Change Parameters" and in the properties in front of the "Computer Name" string click "Change", enter the new value for the main PC.
  2. Reload at the request of the PC.
  3. Set the network settings like this:
    • Through the control panel, open the menu with networks and shared access.
    • Adjust the adapter settings. Right-key, click "Properties" and open the "Network" tab.
    • In the window from the list, click on the Internet protocol at number 4, click again on "Properties".
    • Enter the required settings, for example: IP address - 192.168.10.252, subnet mask - 255.255.255.0, main sublude - 192.168.10.1.
    • In the "Preferred DNS server" line, specify the address of the local server, in the "alternative ..." - other DNS servers addresses.
    • Save the changes and close the windows.

Set the Active Directory roles like this:

  1. Open the "Server Manager" through the Start.
  2. In the menu, select Adding Roles and Components.
  3. The master will start, but the first window with the description can be skipped.
  4. Mark the "Installing Roles and Components" string, go on.
  5. Select your computer to put Active Directory on it.
  6. From the list, select the role you want to download - for your case, these are "Active Directory Domain Services".
  7. A small window will appear with the downloads of the downloads necessary for the components services - take it.
  8. After you are offered to install other components - if you do not need them, just skip this step by clicking "Next".
  9. The setup wizard will display a window with the descriptions of the services you are installed - read and move on.
  10. There is a list of components that we are going to install - check whether everything is true, and if yes, click on the appropriate key.
  11. When the process is completed, close the window.
  12. That's all - services are downloaded to your computer.

Setting up Active Directory

To configure the domain service, you need to do the following:

  • Run the setup selection sequence.
  • Click on the yellow pointer at the top of the window and select "Enhance the server role to the domain controller."
  • Click adding a new "forest" and create a name for the root domain, then click "Next".
  • Specify the modes of the "forest" and domain - most often they coincide.
  • Come up with a password, but be sure to remember it. Go further.
  • After that you can see a warning that the domain is not delegated, and the offer to check the domain name - you can skip these steps.
  • In the next window, you can change the path to directories with databases - do it if they are not suitable for you.
  • Now you will see all the parameters that are going to install - view whether they chose them correctly, and go on.
  • The application will check whether the prerequisites are performed, and if there are no comments, or they are not critical, press "install".
  • After completing the installation of the PC independently overloaded.

You can also be interested in how to add a user to the database. To do this, use the Active Directory Menu, which you will find in the Administration section in the control panel, or operate the database settings menu.

To add a new user, right-click on the domain name, select "Create", after the "division". You will appear in front of you, where you need to enter the name of the new unit - it serves as a folder where you can collect users in different departments. In the same way, you later create several other units and competently place all employees.

Next, when you created the name of the unit, click on it with the right mouse button and select "Create", after - "User". Now it remains only to enter the necessary data and set the access settings for the user.

When a new profile is created, click on it by selecting the context menu, and open the "Properties". In the "Account" tab, delete the mark on the "Block ...". That's all.

The general conclusion is active - Active Directory is a powerful and useful tool for system control, which will help combine all the computers of employees in one command. With the help of services, you can create a protected database and significantly optimize the work and synchronization of information between all users. If the activities of your company and any other place of work are related to electronic computing machines and the network, you need to combine accounts and monitor work and confidentiality, setting a database based on Active Directory will become an excellent solution.

Active Directory-Extended and Scalable Active Directory Directory Service (Active Catalog) allows you to effectively manage network resources.
Active Directory. - This is a hierarchically organized data storage about network objects, providing convenient tools for searching and using this data. A computer on which Active Directory works is called a domain controller. Almost all administrative tasks are connected with Active Directory.
Active Directory technology is based on standard Internet protocols and helps to clearly define the network structure, in more detail how to deploy from zero domain Active Directory read here ..

Active Directory and DNS

In Active Directory, a domain name system is used.

Administer Active Directory.

With the help of the Active Directory service, computers are created, they are connected to the domain, computers are controlled, domain controllers and organizational units (OP).

Administration and support are designed to manage Active Directory. The tools listed below are implemented and the form of the MMS console snap-in (Microsoft Management Console):

  • Active Directory Users and Computers (Active Directory Users and Computers) allows you to manage users, groups, computers and organizational divisions (OP);
  • Active Directory Domains and Trusts (Active Directory Domains and Trusts) serves to work with domains, domain trees and domain forests;
  • Active Directory Sites and Services (Active Directory Site and Services) allows you to manage sites and subnets;
  • RESULTANT SET OF POLICY) is used to view the current user or system policy and to plan changes in policies.
  • Microsoft Windows 2003 Server You can access these snaps directly from the Administration menu (Administrative Tools).

Another administration tool is a snap-in schematic directory (Active Directory Schema) - allows you to control and modify the directory scheme.

Active Directory Command Line Utilities

To manage Active Directory objects, there are command line tools that allow a wide range of administrative tasks:

  • DSADD - adds computers, contacts, groups, OP and users to Active Directory.
  • DSGET - Displays the properties of computers, contacts, groups, op, users, sites, subnets and servers registered in Active Directory.
  • DSMOD - changes the properties of computers, contacts, groups, op, users and servers registered in Active Directory.
  • DSMOVE - Moves a single object to a new location within the domain or renames an object without moving.
  • DSQXJERY - Search computers, contacts, groups, op, users, sites, subnets and servers in Active Directory for specified criteria.
  • DSRM - Removes an object from Active Directory.
  • NtdSutil - allows you to view information about the site, domain or server, manage operations of operations (Operations Masters) and maintain the Active Directory database.

Active Directory - Microsoft Catalog directory service for Windows NT family.

This service allows administrators to use group policies to ensure uniformity of user work environment settings, installation software, updates, etc.

What is the essence of the work of Active Directory and what tasks does she decide? Read on.

Principles of the organization of peer-to-man and multipart networks

But another problem arises that if User User2 on PC2 decides to change your password? Then if the user1 user will change the account password, USER2 access to the RS1 will be impossible to the resource.

Another example: we have 20 workstations with the 20th accounts that we want to provide access to someone, for this we must create 20 accounts on the file server and provide access to the required resource.

And if there are not 20 A 200?

As you understand the network administration, with this approach, turns into a pitch blood pressure.

Therefore, the approach using working groups is suitable for small office networks with a PC number of no more than 10 units.

If there are more than 10 workstations in the grid, the approach is rationally justified, in which one node of the network delegates the rights of authentication and authorization.

This node is the domain controller - Active Directory.

Domain Controller

The controller stores the account database, i.e. It stores account and for PC1 and for PC2.

Now all accounts are prescribed once on the controller, and the need for local accounts loses meaning.

Now that the user enters the PC, entering your username and password, these data are transmitted in a closed form to the domain controller, which performs authentication and authorization procedures.

After the controller issues the user who has input, something like a passport with which it works in the future and which it places on the request of other computers of the grid, servers to whose resources he wants to connect.

Important! The domain controller is a computer with a raised Active Directory service, which manages user access to network resources. It stores resources (for example, printers, shared folders), services (for example, email), people (user accounts and user groups), computers (computers accounts).

The number of such saved resources can reach millions of objects.

The following MS Windows versions can be played as a domain controller: Windows Server 2000/2003/2008/2012 except Web-Edition.

The domain controller is beyond what is the center of network authentication, is also a control center for all computers.

Immediately after turning on the computer begins to access the domain control, long before the authentication window appears.

Thus, it is possible to authenticate not only the user entering the username and password, but also authenticating the client computer.

Installing Active Directory.

Consider an example of installing Active Directory on Windows Server 2008 R2. So to install the Active Directory role, go to the "Server Manager":

Add the role of "Add Roles":

Select the role of Active Directory Domain Services:

And proceed to the installation:

After that we get the notification window, about the set role:

After installing the role of the domain controller, proceed to install the controller itself.

Click "Start" in the program search field We enter the name of the DCPROMO wizard, run it and put a tick for advanced settings:

We click "Next" from the proposed options, choose the creation of a new domain and forest.

Enter the domain name, for example, Example.net.

We write Netbios domain name, without zone:

Select the functional level of our domain:

In view of the features of the functioning of the domain controller, you also install a DNS server.

Location of the database, log file, system volumes are left unchanged:

We enter the domain administrator password:

Check the correctness of the fill and if everything is in order with the "Next".

After that, the installation process will go, at the end of which the window will appear, which reports on a successful installation:

Introduction to Active Directory

The report discusses two types of computer networks that can be created using Microsoft operating systems: WorkGroup and Active Directory Domain.

Did not find an answer to your question? Look at here
How to return the love of her husband to his wife - Tips of the psychologistHow to return the love of her husband to his wife - Tips of the psychologist
Why you can not give iconsWhy you can not give icons
Why you can not give iconsWhy you can not give icons